Direct links from the subject.
| Property | Value |
|---|---|
|
The subject is an instance of a class. |
|
|
The subject is an instance of a class. |
An idea or notion; a unit of thought. |
|
A human-readable name for the subject. |
GV.RM-03.2: Information and Cybersecurity risks shall be documented, as part of the enterprise risk management processes, formally approved by senior management, and updated when changes occur. |
|
GV.RM-03.2 |
|
|
http://cyfun.data.gift/data/loc_CyFun2025_Booklet_ESSENTIAL_E_p19 |
|
|
http://cyfun.data.gift/data/loc_CyFun2025_Booklet_IMPORTANT_E_p17 |
|
|
Relates a concept to a concept that is more general in meaning. |
|
|
A general note, for any purpose. |
<div><p>This control should ensure that the strategy is put into action through structured processes. It focuses on operational and governance level, ensures accountability and traceability of risks, and emphasises formal processes and oversight. The following actionable components should be considered while implementing this control:</p><p><strong>Systematic Risk Identification</strong></p><ul><li>Goal: Proactively identify information and cybersecurity risks across the organisation.</li><li>Actions:<ul><li>Regular risk assessments should be conducted using methods like threat modelling, risk workshops, and vulnerability scans.</li><li>Risks related to all digital and physical assets (hardware, software, data, networks) should be included in the asset inventory, along with key metadata (location, owner, usage).</li><li>Leverage sources such as:<ul><li>Security incident logs</li><li>Penetration test results</li><li>Regulatory requirements</li><li>Industry threat intelligence</li></ul></li></ul></li><li>Consider involving cross-functional teams (IT/OT, legal, compliance, business units).</li><li>Tools to Consider:<ul><li>Risk assessment templates</li><li>Threat intelligence platforms (e.g., MISP, Recorded Future)</li><li>Asset inventories and data flow diagrams</li></ul></li></ul><p><strong>Risk Documentation in the ERM Framework</strong></p><ul><li>Goal: Ensure cybersecurity risks are integrated into the broader Enterprise Risk Management (ERM) process.</li><li>Actions:<ul><li>Consider using a centralised risk register or GRC tool to document:<ul><li>Risk description</li><li>Likelihood and impact</li><li>Risk owner</li><li>Controls in place</li><li>Residual risk</li><li>Treatment plan</li></ul></li><li>Cybersecurity risk management should be aligned with strategic business objectives to ensure relevance and support.</li></ul></li><li>Tools to Consider:<ul><li>GRC platforms</li><li>Excel/SharePoint (for smaller organisations)</li></ul></li></ul><p><strong>Formal Approval and Senior Management Involvement</strong></p><ul><li>Goal: Ensure leadership oversight and accountability in risk decisions.</li><li>Actions:<ul><li>Risk assessments and treatment plans should be presented to a Risk Committee or Executive Board.</li><li>Consider including cybersecurity risks in quarterly risk reports.</li><li>Formal sign-off should be obtained on:<ul><li>Risk acceptance</li><li>Mitigation plans</li><li>Budget allocations</li></ul></li></ul></li><li>Tools to Consider:<ul><li>Board reporting templates</li><li>Risk dashboards</li><li>Meeting minutes with documented approvals</li></ul></li></ul><p><strong>Communication and Awareness</strong></p><ul><li>Goal: Ensure all relevant stakeholders are informed and engaged.</li><li>Actions:<ul><li>Clear lines of communication should be established for cybersecurity risks, including those from suppliers and third parties.</li><li>Approved risks and mitigation strategies should be communicated to relevant teams.</li><li>Awareness should be promoted through training, briefings, and internal communications.</li></ul></li><li>Tools to Consider:<ul><li>Internal communication platforms (e.g., Teams, Slack)</li><li>Risk communication plans</li><li>Stakeholder maps</li></ul></li></ul><p><strong>Continuous Monitoring and Updates</strong></p><ul><li>Goal: Keep risk information current and responsive to change.</li><li>Actions:<ul><li>Continuous monitoring should be implemented to detect changes in the threat landscape or organisational environment.</li><li>Consider defining triggers for updates, such as:<ul><li>New threats or vulnerabilities</li><li>Changes in business processes or IT systems</li><li>Regulatory changes</li></ul></li><li>Achange management process should be established that includes updating cybersecuritydocumentation.</li><li>Regular reviews should be conducted (e.g., quarterly or twice a year) of documented risks.</li></ul></li><li>Tools to Consider:<ul><li>Change management systems</li><li>Continuous monitoring tools</li><li>Risk review calendars ThiscontroloperationalisesGV.RM-03.1byembeddingcybersecurityrisksintotheEnterpriseRiskManagement (ERM) framework and ensuring governance and accountability.</li></ul></li></ul></div> |
|
A general note, for any purpose. |
This control should ensure that the strategy is put into action through structured processes. It focuses on operational and governance level, ensures accountability and traceability of risks, and emphasises formal processes and oversight. The following actionable components should be considered while implementing this control: Systematic Risk Identification • Goal: Proactively identify information and cybersecurity risks across the organisation. • Actions: o Regular risk assessments should be conducted using methods like threat modelling, risk workshops, and vulnerability scans. o Risks related to all digital and physical assets (hardware, software, data, networks) should be included in the asset inventory, along with key metadata (location, owner, usage). o Leverage sources such as: - Security incident logs - Penetration test results - Regulatory requirements - Industry threat intelligence • Consider involving cross-functional teams (IT/OT, legal, compliance, business units). • Tools to Consider: o Risk assessment templates o Threat intelligence platforms (e.g., MISP, Recorded Future) o Asset inventories and data flow diagrams Risk Documentation in the ERM Framework • Goal: Ensure cybersecurity risks are integrated into the broader Enterprise Risk Management (ERM) process. • Actions: o Consider using a centralised risk register or GRC tool to document: - Risk description - Likelihood and impact - Risk owner - Controls in place - Residual risk - Treatment plan o Cybersecurity risk management should be aligned with strategic business objectives to ensure relevance and support. • Tools to Consider: o GRC platforms o Excel/SharePoint (for smaller organisations) Formal Approval and Senior Management Involvement • Goal: Ensure leadership oversight and accountability in risk decisions. • Actions: o Risk assessments and treatment plans should be presented to a Risk Committee or Executive Board. o Consider including cybersecurity risks in quarterly risk reports. o Formal sign-off should be obtained on: - Risk acceptance - Mitigation plans - Budget allocations • Tools to Consider: o Board reporting templates o Risk dashboards o Meeting minutes with documented approvals Communication and Awareness • Goal: Ensure all relevant stakeholders are informed and engaged. • Actions: o Clear lines of communication should be established for cybersecurity risks, including those from suppliers and third parties. o Approved risks and mitigation strategies should be communicated to relevant teams. o Awareness should be promoted through training, briefings, and internal communications. • Tools to Consider: o Internal communication platforms (e.g., Teams, Slack) o Risk communication plans o Stakeholder maps Continuous Monitoring and Updates • Goal: Keep risk information current and responsive to change. • Actions: o Continuous monitoring should be implemented to detect changes in the threat landscape or organisational environment. o Consider defining triggers for updates, such as: - New threats or vulnerabilities - Changes in business processes or IT systems - Regulatory changes o Achange management process should be established that includes updating cybersecuritydocumentation. o Regular reviews should be conducted (e.g., quarterly or twice a year) of documented risks. • Tools to Consider: o Change management systems o Continuous monitoring tools o Risk review calendars ThiscontroloperationalisesGV.RM-03.1byembeddingcybersecurityrisksintotheEnterpriseRiskManagement (ERM) framework and ensuring governance and accountability. |
|
A general note, for any purpose. |
This control should ensure that the strategy is put into action through structured processes. It focuses on operational and governance level, ensures accountability and traceability of risks, and emphasises formal processes and oversight. The following actionable components should be considered while implementing this control: **Systematic Risk Identification** - Goal: Proactively identify information and cybersecurity risks across the organisation. - Actions: - Regular risk assessments should be conducted using methods like threat modelling, risk workshops, and vulnerability scans. - Risks related to all digital and physical assets (hardware, software, data, networks) should be included in the asset inventory, along with key metadata (location, owner, usage). - Leverage sources such as: - Security incident logs - Penetration test results - Regulatory requirements - Industry threat intelligence - Consider involving cross-functional teams (IT/OT, legal, compliance, business units). - Tools to Consider: - Risk assessment templates - Threat intelligence platforms (e.g., MISP, Recorded Future) - Asset inventories and data flow diagrams **Risk Documentation in the ERM Framework** - Goal: Ensure cybersecurity risks are integrated into the broader Enterprise Risk Management (ERM) process. - Actions: - Consider using a centralised risk register or GRC tool to document: - Risk description - Likelihood and impact - Risk owner - Controls in place - Residual risk - Treatment plan - Cybersecurity risk management should be aligned with strategic business objectives to ensure relevance and support. - Tools to Consider: - GRC platforms - Excel/SharePoint (for smaller organisations) **Formal Approval and Senior Management Involvement** - Goal: Ensure leadership oversight and accountability in risk decisions. - Actions: - Risk assessments and treatment plans should be presented to a Risk Committee or Executive Board. - Consider including cybersecurity risks in quarterly risk reports. - Formal sign-off should be obtained on: - Risk acceptance - Mitigation plans - Budget allocations - Tools to Consider: - Board reporting templates - Risk dashboards - Meeting minutes with documented approvals **Communication and Awareness** - Goal: Ensure all relevant stakeholders are informed and engaged. - Actions: - Clear lines of communication should be established for cybersecurity risks, including those from suppliers and third parties. - Approved risks and mitigation strategies should be communicated to relevant teams. - Awareness should be promoted through training, briefings, and internal communications. - Tools to Consider: - Internal communication platforms (e.g., Teams, Slack) - Risk communication plans - Stakeholder maps **Continuous Monitoring and Updates** - Goal: Keep risk information current and responsive to change. - Actions: - Continuous monitoring should be implemented to detect changes in the threat landscape or organisational environment. - Consider defining triggers for updates, such as: - New threats or vulnerabilities - Changes in business processes or IT systems - Regulatory changes - Achange management process should be established that includes updating cybersecuritydocumentation. - Regular reviews should be conducted (e.g., quarterly or twice a year) of documented risks. - Tools to Consider: - Change management systems - Continuous monitoring tools - Risk review calendars ThiscontroloperationalisesGV.RM-03.1byembeddingcybersecurityrisksintotheEnterpriseRiskManagement (ERM) framework and ensuring governance and accountability. |
|
A general note, for any purpose. |
This control should ensure that the strategy is put into action through structured processes. It focuses on operational and governance level, ensures accountability and traceability of risks, and emphasises formal processes and oversight. The following actionable components should be considered while implementing this control: *Systematic Risk Identification* - Goal: Proactively identify information and cybersecurity risks across the organisation. - Actions: - Regular risk assessments should be conducted using methods like threat modelling, risk workshops, and vulnerability scans. - Risks related to all digital and physical assets (hardware, software, data, networks) should be included in the asset inventory, along with key metadata (location, owner, usage). - Leverage sources such as: - Security incident logs - Penetration test results - Regulatory requirements - Industry threat intelligence - Consider involving cross-functional teams (IT/OT, legal, compliance, business units). - Tools to Consider: - Risk assessment templates - Threat intelligence platforms (e.g., MISP, Recorded Future) - Asset inventories and data flow diagrams *Risk Documentation in the ERM Framework* - Goal: Ensure cybersecurity risks are integrated into the broader Enterprise Risk Management (ERM) process. - Actions: - Consider using a centralised risk register or GRC tool to document: - Risk description - Likelihood and impact - Risk owner - Controls in place - Residual risk - Treatment plan - Cybersecurity risk management should be aligned with strategic business objectives to ensure relevance and support. - Tools to Consider: - GRC platforms - Excel/SharePoint (for smaller organisations) *Formal Approval and Senior Management Involvement* - Goal: Ensure leadership oversight and accountability in risk decisions. - Actions: - Risk assessments and treatment plans should be presented to a Risk Committee or Executive Board. - Consider including cybersecurity risks in quarterly risk reports. - Formal sign-off should be obtained on: - Risk acceptance - Mitigation plans - Budget allocations - Tools to Consider: - Board reporting templates - Risk dashboards - Meeting minutes with documented approvals *Communication and Awareness* - Goal: Ensure all relevant stakeholders are informed and engaged. - Actions: - Clear lines of communication should be established for cybersecurity risks, including those from suppliers and third parties. - Approved risks and mitigation strategies should be communicated to relevant teams. - Awareness should be promoted through training, briefings, and internal communications. - Tools to Consider: - Internal communication platforms (e.g., Teams, Slack) - Risk communication plans - Stakeholder maps *Continuous Monitoring and Updates* - Goal: Keep risk information current and responsive to change. - Actions: - Continuous monitoring should be implemented to detect changes in the threat landscape or organisational environment. - Consider defining triggers for updates, such as: - New threats or vulnerabilities - Changes in business processes or IT systems - Regulatory changes - Achange management process should be established that includes updating cybersecuritydocumentation. - Regular reviews should be conducted (e.g., quarterly or twice a year) of documented risks. - Tools to Consider: - Change management systems - Continuous monitoring tools - Risk review calendars ThiscontroloperationalisesGV.RM-03.1byembeddingcybersecurityrisksintotheEnterpriseRiskManagement (ERM) framework and ensuring governance and accountability. |
|
A notation, also known as classification code, is a string of characters such as "T58.5" or "303.4833" used to uniquely identify a concept within the scope of a given concept scheme. |
GV.RM-03.2 |
|
skos:prefLabel, skos:altLabel and skos:hiddenLabel are pairwise disjoint properties. |
Cybersecurity risk documentation |
|
A resource has no more than one value of skos:prefLabel per language tag, and no more than one value of skos:prefLabel without language tag. |
Information and Cybersecurity risks shall be documented, as part of the enterprise risk management processes, formally approved by senior management, and updated when changes occur. |
|
Relates a resource (for example a concept) to a concept scheme in which it is included. |
|
|
Relates a resource (for example a concept) to a concept scheme in which it is included. |
|
|
Relates a resource (for example a concept) to a concept scheme in which it is included. |
|
|
Relates a resource (for example a concept) to a concept scheme in which it is included. |
http://cyfun.data.gift/data/CyFun2025_delta_BASIC_to_IMPORTANT |
|
Relates a resource (for example a concept) to a concept scheme in which it is included. |
|
|
Relates a resource (for example a concept) to a concept scheme in which it is included. |
|
|
1 |
|
|
The number of triples associated with the subject. |
22 |
|
Specifies the dataset the subject is part of. |
Resultaten 1 - 24 of 24
Inverse links to the subject.
| Property | Subject |
|---|---|
|
Relates a concept to a concept that is more specific in meaning. |
Resultaten 1 - 1 of 1