Back to M2.1.1 - P1 - INFORMATION SECURITY RISK MANAGEMENT POLICY
Entities owning, operating, and or maintaining Critical Information Infrastructure shall take into account all relevant NESA’s issuances and guidance with regard to risk management when performing risk assessment (Please refer to NCRMF for further details).
The information security risk management policy should clearly define how the entity is planning to carry out the risk assessment. In addition to the requirements stated above, the policy can, for example, contain:
- A. The level of detail of asset identification
- B. The basis of threat and vulnerability identification
- C. The scales to be used for asset valuation in terms of confidentiality, integrity and availability
- D. How the likelihood that a threat exploits a vulnerability is calculated
- E. How the risks are calculated
- F. Who will be responsible to perform the risk assessment
- G. The basis of control selection
- H. How to measure the risk management performance
- I. Criteria for improving the risk management
The risk management policy should also describe the type of risk assessment the entity intends to perform, whether it is more of a higher level assessment or a detailed one (see also M2.2), and the reasons for that choice. The decision for a particular approach should be made based on
- A. The security requirements of the entity
- B. Their current level of maturity, and where the entity eventually wishes to be (link to self-assessment)
- C. The capabilities, knowledge and resources available at this point in time
- D. The regulations given by the entity’s sector or other applicable regulations
The entity should be able to provide reasons for the chosen information security risk management approach.
The risk management policy should be communicated appropriately.
PLEASE NOTE: The risk management policy is sometimes also denoted as risk management approach.
Back to M2.1.1 - P1 - INFORMATION SECURITY RISK MANAGEMENT POLICY
