+OIS-07 Risk Management Policy
---+OIS-07.01B

1. Übersicht

OIS-07 Risk Management Policy

-
OIS-07.01B Policies and procedures for risk management procedures are documented, communicated and provided in accordance with SP-01. Risk management procedures are based on a methodology for risk assessments. The methodology allows comparability and reproducibility for the following aspects:

1. Identification of cybersecurity risks and other risks associated with the loss of confidentiality, integrity, availability and authenticity of information within the scope of the ISMS and assigning risk owners;
2. Analysis of the probability and impact of occurrence and determination of the level of risk;
3. Evaluation of the risk assessment based on defined criteria for risk acceptance and prioritisation of risk management;
4. Treatment of risks through measures, including approval of authorisation and acceptance of residual risks by risk owners;
5. Documentation of the activities implemented to enable consistent, valid and comparable results; and
6. Evaluation of the risk assessment and the status of risk treatment plans by the level of management responsible for the security of the cloud service.


The risk level can be determined by qualitative, semiquantitative and quantitative methods (cf. ISO 31010) based on the likelihood and impact of the risks.

For identifying, evaluating, and prioritising potential threats and vulnerabilities associated with processes, systems, and data flows, threat modelling can provide a structured methodology: The cloud service provider can systematically analyse attack vectors and possible impacts to support auditors and stakeholders in validating the suitability of the design of implemented controls, highlight gaps in existing security measures, and ensure alignment with best practices for proactive risk mitigation.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum