compliance controls are associated with this Policy definition 'Implement the risk management strategy' (c6fe3856-4635-36b6-983c-070da12a953b)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| hipaa |
0121.05a2Organizational.12-05.a |
hipaa-0121.05a2Organizational.12-05.a |
0121.05a2Organizational.12-05.a |
01 Information Protection Program |
0121.05a2Organizational.12-05.a 05.01 Internal Organization |
Shared |
n/a |
The organization's information protection and risk management programs, including the risk assessment process, are formally approved, and are reviewed for effectiveness and updated annually. |
|
6 |
| hipaa |
17126.03c1System.6-03.c |
hipaa-17126.03c1System.6-03.c |
17126.03c1System.6-03.c |
17 Risk Management |
17126.03c1System.6-03.c 03.01 Risk Management Program |
Shared |
n/a |
The organization has implemented an integrated control system characterized using different control types (e.g., layered, preventative, detective, corrective, and compensating) that mitigates identified risks. |
|
3 |
| hipaa |
1792.10a2Organizational.7814-10.a |
hipaa-1792.10a2Organizational.7814-10.a |
1792.10a2Organizational.7814-10.a |
17 Risk Management |
1792.10a2Organizational.7814-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
Information security risk management is integrated into the SDLC, and information security roles and responsibilities are defined for all SDLC phases. |
|
4 |
| ISO27001-2013 |
C.6.1.1.a |
ISO27001-2013_C.6.1.1.a |
ISO 27001:2013 C.6.1.1.a |
Planning |
General |
Shared |
n/a |
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to:
a) ensure the information security management system can achieve its intended outcome(s). |
link |
3 |
| ISO27001-2013 |
C.6.1.1.b |
ISO27001-2013_C.6.1.1.b |
ISO 27001:2013 C.6.1.1.b |
Planning |
General |
Shared |
n/a |
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to:
b) prevent, or reduce, undesired effects. |
link |
3 |
| ISO27001-2013 |
C.6.1.1.c |
ISO27001-2013_C.6.1.1.c |
ISO 27001:2013 C.6.1.1.c |
Planning |
General |
Shared |
n/a |
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to:
c) achieve continual improvement. |
link |
3 |
| ISO27001-2013 |
C.6.1.1.d |
ISO27001-2013_C.6.1.1.d |
ISO 27001:2013 C.6.1.1.d |
Planning |
General |
Shared |
n/a |
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed. The organization shall plan:
d) actions to address these risks and opportunities. |
link |
3 |
| ISO27001-2013 |
C.6.1.1.e.1 |
ISO27001-2013_C.6.1.1.e.1 |
ISO 27001:2013 C.6.1.1.e.1 |
Planning |
General |
Shared |
n/a |
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed. The organization shall plan:
e) how to
- 1) integrate and implement the actions into its information security management system
processes. |
link |
3 |
| ISO27001-2013 |
C.6.1.1.e.2 |
ISO27001-2013_C.6.1.1.e.2 |
ISO 27001:2013 C.6.1.1.e.2 |
Planning |
General |
Shared |
n/a |
When planning for the information security management system, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed. The organization shall plan:
e) how to
- 2) evaluate the effectiveness of these actions. |
link |
3 |
| ISO27001-2013 |
C.6.1.2.a.1 |
ISO27001-2013_C.6.1.2.a.1 |
ISO 27001:2013 C.6.1.2.a.1 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
a) establishes and maintains information security risk criteria that include:
- 1) the risk acceptance criteria.
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
| ISO27001-2013 |
C.6.1.2.a.2 |
ISO27001-2013_C.6.1.2.a.2 |
ISO 27001:2013 C.6.1.2.a.2 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
a) establishes and maintains information security risk criteria that include:
- 2) criteria for performing information security risk assessments.
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
| ISO27001-2013 |
C.6.1.2.b |
ISO27001-2013_C.6.1.2.b |
ISO 27001:2013 C.6.1.2.b |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
b) ensures that repeated information security risk assessments produce consistent, valid and
comparable results.
The organization shall retain documented information about the information security risk
assessment process. |
link |
1 |
| ISO27001-2013 |
C.6.1.2.c.1 |
ISO27001-2013_C.6.1.2.c.1 |
ISO 27001:2013 C.6.1.2.c.1 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
c) identifies the information security risks:
- 1) apply the information security risk assessment process to identify risks associated with the loss
of confidentiality, integrity and availability for information within the scope of the information
security management system.
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
| ISO27001-2013 |
C.6.1.2.c.2 |
ISO27001-2013_C.6.1.2.c.2 |
ISO 27001:2013 C.6.1.2.c.2 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
c) identifies the information security risks:
- 2) identify the risk owners.
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
| ISO27001-2013 |
C.6.1.2.d.1 |
ISO27001-2013_C.6.1.2.d.1 |
ISO 27001:2013 C.6.1.2.d.1 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
d) analyses the information security risks:
- 1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were
to materialize.
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
| ISO27001-2013 |
C.6.1.2.d.2 |
ISO27001-2013_C.6.1.2.d.2 |
ISO 27001:2013 C.6.1.2.d.2 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
d) analyses the information security risks:
- 2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1).
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
| ISO27001-2013 |
C.6.1.2.d.3 |
ISO27001-2013_C.6.1.2.d.3 |
ISO 27001:2013 C.6.1.2.d.3 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
d) analyses the information security risks:
- 3) determine the levels of risk.
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
| ISO27001-2013 |
C.6.1.2.e.1 |
ISO27001-2013_C.6.1.2.e.1 |
ISO 27001:2013 C.6.1.2.e.1 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
e) evaluates the information security risks:
- 1) compare the results of risk analysis with the risk criteria established in 6.1.2 a).
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
| ISO27001-2013 |
C.6.1.2.e.2 |
ISO27001-2013_C.6.1.2.e.2 |
ISO 27001:2013 C.6.1.2.e.2 |
Planning |
Information security risk assessment |
Shared |
n/a |
The organization shall define and apply an information security risk assessment process that:
e) evaluates the information security risks:
- 2) prioritize the analysed risks for risk treatment.
The organization shall retain documented information about the information security risk
assessment process. |
link |
2 |
|
op.pl.1 Risk analysis |
op.pl.1 Risk analysis |
404 not found |
|
|
|
n/a |
n/a |
|
70 |
| SWIFT_CSCF_v2022 |
7.4A |
SWIFT_CSCF_v2022_7.4A |
SWIFT CSCF v2022 7.4A |
7. Plan for Incident Response and Information Sharing |
Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. |
Shared |
n/a |
Scenario-based risk assessments are conducted regularly to improve incident response preparedness and to increase the maturity of the organisation’s security programme. |
link |
7 |