Back

Employ risk assessment procedures that include appropriate risk treatment options for each identified risk.


CONTROL ID
06484
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization should mitigate all residual security risks by implementing alternative security measures. (Control: 1207, Australian Government Information Security Manual: Controls)
  • The Security Risk Management Plan should include a Security Risk Assessment and the risk treatment strategy. (Control: 0788, Australian Government Information Security Manual: Controls)
  • Fulfilment of the standard requirements in IT-Grundschutz normally offers sufficient and adequate protection. In case of high or very high protection needs, as being regularly applicable within the scope of Core Protection, it should be verified whether there are additional security requirements, co… (§ 7.8 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The elementary threats were chosen in such a way that they provide a compact, adequate and, in typical scenarios, complete basis for risk analyses. For this reason, the focus, when determining additional threats, should not be to identify additional elementary threats. However, it can make sense to … (§ 4.2 ¶ 3, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Below, the risk treatment options of avoidance, reduction and transfer are considered. Based on this, an organisation must define risk acceptance criteria and map the risk treatment on them. In all cases, the management must be involved in the decision how the risks identified are dealt with, becaus… (§ 6.1 ¶ 4, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • The classification of risks provides an overview of the extent of the risks resulting from the threats for the respective target object. The security safeguards planned or already implemented are taken into consideration. Treating these threats is discussed in the next section. (§ 5.2 ¶ 4, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • A firm's risk assessment should balance any risks that the outsourcing arrangement may create or increase against any risks it may reduce or enable the firm to manage more effectively (for instance, a firm's resilience to disruption). The assessment should also take into account existing or planned … (§ 5.23, SS2/21 Outsourcing and third party risk management, March 2021)
  • Control activities help ensure that risk responses that address and mitigate risks are carried out. (§ 3 Principle 10 Points of Focus: Integrates with Risk Assessment, COSO Internal Control - Integrated Framework (2013))
  • The information security governance framework should address the need to ensure that decisions about Information Security activities are based on risk. (SG.01.01.04c-1, The Standard of Good Practice for Information Security)
  • Information risk assessments should ensure that the results of assessments include a list of risk treatment options (e.g., accepting risks, avoiding risks, transferring risks, or mitigating risks by applying security controls). (SR.01.02.07c, The Standard of Good Practice for Information Security)
  • Options to treat information risk (risk treatment) should include accepting risks (e.g., business owners take responsibility for accepting the business consequences and signing off the risks). (SR.01.06.02a, The Standard of Good Practice for Information Security)
  • Options to treat information risk (risk treatment) should include transferring risks (e.g., by sharing the risks with an external party or by taking out insurance). (SR.01.06.02c, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover presenting reports (including details about risk treatment options) and obtaining approval for risk treatment actions that need to be performed. (SI.02.02.02c, The Standard of Good Practice for Information Security)
  • Information risk reports should cover a broad range of information risk-based activities, which include risk treatment options (that have been agreed by executive management), such as accepting risks, avoiding risks, transferring risks, or applying appropriate security controls to mitigate risks. (SI.02.02.05c, The Standard of Good Practice for Information Security)
  • Information risk reports should cover a broad range of information risk-based activities, which include actions required to help minimize information risk (e.g., reviewing the organization's risk appetite, understanding the Information Security threat environment, and encouraging business and system… (SI.02.02.05d, The Standard of Good Practice for Information Security)
  • Transferring information risks may involve sharing the risks with external parties, such as Joint Venture partners, outsource providers, or cloud service providers (e.g., sharing financial investment and resources). (SR.01.06.05a, The Standard of Good Practice for Information Security)
  • Applying security controls to mitigate information risk should include identifying and obtaining sign-off for any residual risk (i.e., the proportion of risk that still remains after selected controls have been implemented). (SR.01.06.06g, The Standard of Good Practice for Information Security)
  • The information security governance framework should address the need to ensure that decisions about Information Security activities are based on risk. (SG.01.01.04c-1, The Standard of Good Practice for Information Security, 2013)
  • Options to treat information risk (risk treatment) should include accepting risks (e.g., business owners take responsibility for accepting the business consequences and signing off the risks). (SR.01.06.02a, The Standard of Good Practice for Information Security, 2013)
  • Options to treat information risk (risk treatment) should include transferring risks (e.g., by sharing the risks with an external party or by taking out insurance). (SR.01.06.02c, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should cover presenting reports (including details about risk treatment options) and obtaining approval for risk treatment actions that need to be performed. (SI.02.02.02c, The Standard of Good Practice for Information Security, 2013)
  • Information risk reports should cover a broad range of information risk-based activities, which include risk treatment options (that have been agreed by executive management), such as accepting risks, avoiding risks, transferring risks, or applying appropriate security controls to mitigate risks. (SI.02.02.05c, The Standard of Good Practice for Information Security, 2013)
  • Information risk reports should cover a broad range of information risk-based activities, which include actions required to help minimize information risk (e.g., reviewing the organization's risk appetite, understanding the Information Security threat environment, and encouraging business and system… (SI.02.02.05d, The Standard of Good Practice for Information Security, 2013)
  • Transferring information risks may involve sharing the risks with external parties, such as Joint Venture partners, outsource providers, or cloud service providers (e.g., sharing financial investment and resources). (SR.01.06.05a, The Standard of Good Practice for Information Security, 2013)
  • Applying security controls to mitigate information risk should include identifying and obtaining sign-off for any residual risk (i.e., the proportion of risk that still remains after selected controls have been implemented). (SR.01.06.06g, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessments should ensure that the results of assessments include a list of risk treatment options (e.g., accepting risks, avoiding risks, transferring risks, or mitigating risks by applying security controls). (SR.01.02.10c, The Standard of Good Practice for Information Security, 2013)
  • The medical information technology network risk manager shall establish and maintain a process to control the identified risks. (§ 4.2.2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • prevent, detect and reduce undesired effects; (§ 6.1 ¶ 1 Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • evaluate which disruption related risks require treatment, and (§ 8.2.3 ¶ 2 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • includes systematic analysis, prioritization of risk treatments, and their related costs, (§ 8.2.1 ¶ 1 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • implementing control of the processes in accordance with the criteria, and (§ 8.1 ¶ 1 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • risk reduction and security requirements, (§ 9.3 ¶ 4 d) 2), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • prevent, or reduce, undesired effects; (§ 6.1.1 ¶ 1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • determine which risks require treatment. (§ 8.2.3 ¶ 2 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • prevent, or reduce, undesired effects; (§ 6.1.1 ¶ 1 b), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • opportunities to eliminate hazards and reduce OH&S risks; (§ 6.1.2.3 ¶ 1 a) 2), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • promoting the use of the process approach and risk-based thinking; (5.1.1 ¶ 1(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • implementing control of the processes in accordance with criteria; (8.1 ¶ 1(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • prevent, or reduce, undesired effects; (§ 6.1.1 ¶ 1 b), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • This final step of the risk assessment verifies whether the risks that have been analysed in the previous steps can be accepted according to the acceptance criteria defined under 6.1.2 a), or need further treatment. The step in 6.1.2 d) delivers information about the magnitude of the risk but no imm… (§ 6.1.2 Guidance ¶ 23, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Data and their use by organizations is an increasingly important issue for all organizations and their stakeholders. In accordance with the principles, models and data-specific aspects of governance outlined in ISO/IEC 38505-1, governing bodies should take actions that ensure the effective governanc… (§ 6.4 ¶ 10, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Control activities help ensure that risk responses that address and mitigate risks are carried out. (CC5.1 ¶ 2 Bullet 1 Integrates With Risk Assessment, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The extent to which the internal audit function's organizational status and relevant policies and procedures support the objectivity of the internal audit function as a whole or, for internal auditors providing direct assistance, the existence of threats to the objectivity of those internal auditors… (¶ 2.139(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Specifically, in accordance with those paragraphs, the service auditor should (a) design and implement overall responses to address the assessed risks of material misstatement and (b) design and perform further procedures whose nature, timing, and extent are based on, and responsive to, the assessed… (¶ 3.01 ¶ 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In accordance with paragraph .22 of AT-C section 205, the service auditor should design and perform further procedures whose nature, timing, and extent are based on, and responsive to, the assessed risks of material misstatement. Those further procedures relate to the presentation of the description… (¶ 3.06, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In certain situations, the service auditor may become aware of information that causes the service auditor to reconsider some of the conclusions reached to that point. For example, when obtaining the written representations from management, the service auditor may learn about a previously unknown se… (¶ 3.238, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • the extent to which the internal audit function's organizational status and relevant policies and procedures support the objectivity of the internal audit function or for internal auditors providing direct assistance, the existence of threats to the objectivity of those internal auditors and the rel… (AT-C Section 205.39 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Control activities help ensure that risk responses that address and mitigate risks are carried out. (CC5.1 Integrates With Risk Assessment, Trust Services Criteria)
  • Control activities help ensure that risk responses that address and mitigate risks are carried out. (CC5.1 ¶ 2 Bullet 1 Integrates With Risk Assessment, Trust Services Criteria, (includes March 2020 updates))
  • determines mitigation strategies for those risks (including implementation of controls, assessment and monitoring of vendors and other third parties providing goods or services, as well as their activities, and other mitigation strategies), (CC3.1(3), TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • A financial institution's board and senior management are responsible for overseeing the business continuity planning process, which includes: - Establishing policy by determining how the institution will manage and control identified risks; - Allocating knowledgeable personnel and sufficient financ… (Board and Senior Management Responsibilities, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Assumptions affecting risk assessments, risk responses, and risk monitoring; (PM-28a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Identify constraints on the conduct of risk assessment, risk response, and risk monitoring activities within the enterprise. (Task 1-2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Assumptions affecting risk assessments, risk responses, and risk monitoring; (PM-28a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Assumptions affecting risk assessments, risk responses, and risk monitoring; (PM-28a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Assumptions affecting risk assessments, risk responses, and risk monitoring; (PM-28a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)