Back

Integrate the risk management program with the organization's business activities.


CONTROL ID
13661
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Identifying, selecting and implementing appropriate controls. Providing proportional response including considerations like productivity, cost effectiveness, and the value of the asset (Critical components of information security 2) 3) Bullet 5, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • explaining how the ICT risk management framework supports the financial entity's business strategy and objectives; (Art. 6.8.(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Consolidating the security concept: The extended security concept must be consolidated before continuing the original IT- Grundschutz process. Here, suitability, interaction, user-friendliness and appropriateness of the security safeguards are checked as a whole. (§ 8.5 Subsection 1 ¶ 7 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Has the organization planned actions to address these risks and opportunities and integrated them into the system processes? (Planning ¶ 2, ISO 22301: Self-assessment questionnaire)
  • integrate and implement the actions into its compliance management system processes; (§ 6.1 ¶ 2 b) Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • integrate and implement the actions into its BCMS processes (see 8.1); (§ 6.1.2 ¶ 1 b) 1), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Top management and oversight bodies, where applicable, should demonstrate and articulate their continual commitment to risk management through a policy, a statement or other forms that clearly convey an organization's objectives and commitment to risk management. The commitment should include, but i… (§ 5.4.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all… (§ 6.9.3.2 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • In overseeing risk management, the governing body should specifically assure itself that risk management is integrated into all organizational activities by seeking evidence that, for example: (§ 6.9.3.4 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed; (5.1.2 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services. (6.1.2 ¶ 2, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • integrate and implement the actions into its quality management system processes (see 4.4); (6.1.2 ¶ 1(b)(1), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • In addition to the guidance provided in ISO 31000:2018, 6.3.1, for organizations using AI the scope of the AI risk management, the context of the AI risk management process and the criteria to evaluate the significance of risk to support decision-making processes should be extended to identify where… (§ 6.3.1 ¶ 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • Information about the organization should be collected to determine the environment it operates in and its relevance to the information security risk management process. (§ 7.3 ¶ 3, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • A review of current risk management processes should particularly examine whether the risks involved in decision-making, data use, culture and values, and compliance are well understood and managed. In this way, the context of the additional risks that AI systems bring to the organization can be cla… (§ 6.7.1 ¶ 4, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • The cyber risk management program is integrated into daily operations and is tailored to address enterprise-specific risks (both internal and external) and evaluate the organization's cybersecurity policies, procedures, processes, and controls. (GV.RM-1.2, CRI Profile, v1.2)
  • The organization has integrated its internal dependency management strategy into the overall strategic risk management plan. (DM.ID-1.1, CRI Profile, v1.2)
  • The organization integrates internal dependency management strategy into the overall strategic risk management plan. (DM.ID-1, CRI Profile, v1.2)
  • The organization manages risks associated with its internal dependencies. (Internal Dependencies (DM.ID), CRI Profile, v1.2)
  • The organization has integrated its internal dependency management strategy into the overall strategic risk management plan. (DM.ID-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The cyber risk management program is integrated into daily operations and is tailored to address enterprise-specific risks (both internal and external) and evaluate the organization's cybersecurity policies, procedures, processes, and controls. (GV.RM-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • A plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. (§242.1001(b)(2)(iv), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: (App A Objective 2:8b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Aligning AIO principles and practices with the board's strategic plans and risk appetite. (App A Objective 2:3a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • This examination procedure may be coordinated with related examination procedures in the "Management" booklet. Determine whether the entity's ERM structure incorporates the functions of AIO. Evaluate whether, as part of ERM, there is the following: (App A Objective 2:8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implement the risk management strategy consistently across the organization; and (PM-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • The C-SCRM process should be carried out across the three risk management levels with the overall objective of continuous improvement of the enterprise's risk-related activities and effective inter- and intra-level communication, thus integrating both strategic and tactical activities among all stak… (2.3.1. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Integrate C-SCRM considerations into every aspect of the system and product life cycle, and implement consistent, well-documented, repeatable processes for systems engineering, cybersecurity practices, and acquisition. (3.4.2. ¶ 1 Bullet 8, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Enhancing practices should be applied by the enterprise with the goal of advancing toward adaptive and predictive C-SCRM capabilities. Enterprises should pursue these practices once sustaining practices have been broadly implemented and standardized across the enterprise: (3.4.3. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Many C-SCRM processes can and should be built into existing program and operational activities and may be adequately performed using available funds. However, there may be a need for an influx of one-time resources to establish an initial C-SCRM program capability. For example, this might include th… (3.6. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Cybersecurity supply chain risk management builds on existing standardized practices in multiple disciplines and an ever-evolving set of C-SCRM capabilities. C-SCRM Key Practices are meant to specifically emphasize and draw attention to a subset of the C-SCRM practices described throughout this publ… (3.4 ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Implement the risk management strategy consistently across the organization; and (PM-9b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Implements the risk management strategy consistently across the organization; and (PM-9b., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develop mitigation strategies to address cost, schedule, performance, and security risks. (T0466, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Implements the risk management strategy consistently across the organization; and (PM-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implement the risk management strategy consistently across the organization; and (PM-9b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement the risk management strategy consistently across the organization; and (PM-9b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)