8 of 40
Principle A2 Risk Management
The organisation takes appropriate steps to identify, assess and understand security risks to the network
and information systems supporting the operation of essential functions. This includes an overall
organisational approach to risk management.
A2.a Risk Management Process
Your organisation has effective internal processes for managing risks to the security of network and
information systems related to the operation of your essential function(s) and communicating associated
activities.
Not Achieved
Partially Achieved
Achieved
At least one of the following
statements is true
All the following statements
are true
All the following statements are
true
Risk assessments are not based on
a clearly defined set of threat
assumptions.
Risk assessment outputs are too
complex or unwieldy to be
consumed by decision-makers
and are not effectively
communicated in a clear and timely
manner.
Risk assessments for network and
information systems supporting
your essential function(s) are a
"one-off" activity or not done at all.
The security elements of projects or
programmes are solely dependent
on the completion of a risk
management assessment without
any regard to the outcomes.
There is no systematic process in
place to ensure that identified
security risks are managed
effectively.
Systems are assessed in isolation,
without consideration of
dependencies and interactions with
other systems. (e.g. interactions
between IT and OT environments).
Security requirements and
mitigations are arbitrary or are
applied from a control catalogue
without consideration of how they
contribute to the security of the
essential function(s).
Your organisational process
ensures that security risks to
network and information
systems relevant to essential
function(s) are identified,
analysed, prioritised, and
managed.
Your risk assessments are
informed by an
understanding of the
vulnerabilities in the network
and information systems
supporting your essential
function(s).
The output from your risk
management process is a
clear set of security
requirements that will
address the risks in line with
your organisational approach
to security.
Significant conclusions
reached in the course of your
risk management process are
communicated to key
security decision-makers and
accountable individuals.
You conduct risk assessments
when significant events
potentially affect the
essential function(s), such as
replacing a system or a
change in the cyber security
threat.
Your organisational process
ensures that security risks to
network and information systems
relevant to essential function(s)
are identified, analysed,
prioritised, and managed.
Your approach to risk is focused
on the possibility of adverse
impact to your essential
function(s), leading to a detailed
understanding of how such
impact might arise as a
consequence of possible attacker
actions and the security
properties of your network and
information systems.
Your risk assessments are based
on a clearly understood set of
threat assumptions, informed by
an up-to-date understanding of
security threats to your essential
function(s) and your sector.
Your risk assessments are
informed by an understanding of
the vulnerabilities in the network
and information systems
supporting your essential
function(s).
The output from your risk
management process is a clear
set of security requirements that
will address the risks in line with
your organisational approach to
security.