Back

Disseminate and communicate the risk management policy to interested personnel and affected parties.


CONTROL ID
13792
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk management program., CC ID: 12051

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • the risk management policy is formalised and approved by the management body and contains sufficient guidance on the institution's ICT risk appetite, and on the main pursued ICT risk management objectives and/or applied ICT risk tolerance thresholds. The relevant ICT risk management policy should al… (Title 3 3.3.1 49.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Policies and instructions for the general procedure applicable to the identification, analysis, assessment and handling of risks and IT risks in particular are documented, communicated and provided according to SA-01. (Section 5.1 OIS-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Policies and instructions with technical and organisational safeguards for the handling of critical vulnerabilities are documented, communicated and provided according to SA-01. The safeguards are coordinated with the activities of the change management and the incident management. (Section 5.6 RB-19 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The processing and sharing of information in business and service processes is supported by data-processing IT systems and related IT processes. The scope and quality thereof shall be based, in particular, on the institution's internal operating needs, business activities and risk situation (see AT … (II.3.8, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Many threats to and through the supply chain are addressed at Level 2 in the management of third-party relationships with suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. Because C-SCRM can both directly and indirectly impact m… (2.3.3. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)