Back

Document residual risk in a residual risk report.


CONTROL ID
13664
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

This Control has the following implementation support Control(s):
  • Review and approve material risks documented in the residual risk report, as necessary., CC ID: 13672


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Quantitative methods involve assigning numerical measurements that can be entered into the analysis to determine total and residual risks. The various aspects that are considered a part of measurements include costs to safeguard the information and information systems, value of that information and … (Critical components of information security 2) 5), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The residual risk must then be submitted to the management level for approval ("risk acceptance"). This documents in a traceable manner that the organisation is aware of the residual risk. Ideally, an organisation only accepts "Low" risks. In practice, however, this is not always appropriate. Reason… (§ 6.1 ¶ 14, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • risks or issues not adequately addressed in any previous risk assessment; (§ 9.3.2 ¶ 1 i), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Decision makers and other stakeholders should be aware of the nature and extent of the remaining risk after risk treatment. The remaining risk should be documented and subjected to monitoring, review and, where appropriate, further treatment. (§ 6.5.2 ¶ 8, ISO 31000 Risk management - Guidelines, 2018)
  • The organization determines ways to aggregate cyber risk to assess the organization's residual cyber risk. (ID.RA-5.6, CRI Profile, v1.2)
  • The organization determines ways to aggregate cyber risk to assess the organization's residual cyber risk. (ID.RA-5.6, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Draft statements of preliminary or residual security risks for system operation. (T0083, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Draft statements of preliminary or residual security risks for system operation. (T0083, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)