Back

Include the scope of risk management activities in the risk management program.


CONTROL ID
13658
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

This Control has the following implementation support Control(s):
  • Document and justify any exclusions from the scope of the risk management activities in the risk management program., CC ID: 15336


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • In assessing the institution's institution-wide risk management and internal controls, as provided by Title 5 of the EBA SREP Guidelines, competent authorities should consider whether the institution's risk management and internal control framework adequately safeguards the institution's ICT systems… (Title 2 2.4 30., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • that the ICT risk management activities are performed with sufficient and qualitatively appropriate human and technical resources. To assess the credibility of the applicable risk mitigation plans, competent authorities should also assess whether the institution has allocated sufficient financial bu… (Title 3 3.3.2 50.c, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The organization should define the scope of its risk management activities. (§ 6.3.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • In addition to the guidance provided in ISO 31000:2018, 6.3.1, for organizations using AI the scope of the AI risk management, the context of the AI risk management process and the criteria to evaluate the significance of risk to support decision-making processes should be extended to identify where… (§ 6.3.1 ¶ 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • business processes; (§ 7.3 ¶ 4 Bullet 2, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • the organization's strategic business objectives, strategies and policies; (§ 7.3 ¶ 4 Bullet 1, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • the organization's functions and structure; (§ 7.3 ¶ 4 Bullet 3, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • the organization's overall approach to risk management; (§ 7.3 ¶ 4 Bullet 5, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • The organization should define the scope and boundaries of information security risk management. (§ 7.3 ¶ 1, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • constraints affecting the organization; (§ 7.3 ¶ 4 Bullet 8, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • socio-cultural environment ; (§ 7.3 ¶ 4 Bullet 10, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • locations of the organization and their geographical characteristics; (§ 7.3 ¶ 4 Bullet 7, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • expectation of stakeholders; (§ 7.3 ¶ 4 Bullet 9, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • interfaces (i.e. information exchange with the environment). (§ 7.3 ¶ 4 Bullet 11, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • The assets within the established scope should be identified. (§ 8.2.2 Action:, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • An independent risk management function has sufficient independence, stature, authority, resources, and access to the appropriate governing body (e.g., the Board or one of its committees), including reporting lines, to ensure consistency with the organization's cyber risk management framework. (GV.IR-1.2, CRI Profile, v1.2)
  • An independent risk management function has sufficient independence, stature, authority, resources, and access to the appropriate governing body (e.g., the Board or one of its committees), including reporting lines, to ensure consistency with the organization's cyber risk management framework. (GV.IR-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Many threats to and through the supply chain are addressed at Level 2 in the management of third-party relationships with suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. Because C-SCRM can both directly and indirectly impact m… (2.3.3. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. (CONTROL-P (CT-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)