This article provides additional information on how you can meet the requirement for the CAF control - A2.a Risk management process
Define a Risk Governance Process
The process must ensure that security risks to network and information systems are:
- Identified - establish where risks are in the company using tools such as:
- an information asset register
- Business Impact Analysis
- Data Protection Impact Assessment (DPIA)
- Analysed and evaluated- using the risk register tool
- Prioritised according to risk
- Treated to minimise impact - using controls
- Communicated as necessary
- Monitored and reviewed
Document your process
Document a risk management process using the Risk Management Policy. The policy should be reviewed at least annually.
Conduct risk assessments
Conduct your risk assessment using the Risk Register in Adoptech.
- Risks should be assessed on a regular scheduled basis in Risk reviews to address change over time. Typically this will be in a quarterly risk review meeting but can form part of the more general management review meeting.
- Risks assessments should be a step in all new projects including technical developments to analyse adverse to the impact network and information systems.
- An assessment of risk should also take place after any incidents to ensure lessons learned have been applied.
Create a Risk Report
A risk report should be created every time there is a changes to the Risk Register to capture a snapshot of the latest version and provide details of what has changed.