+OIS-09 Application of the Risk Management Policy - Risk Treatment
---+OIS-09.01B
---+OIS-09.02B
---+OIS-09.03B
---+OIS-09.04B
---+OIS-09.05B
---+OIS-09.06B
---+OIS-09.07B
|
1. Übersicht
OIS-09 Application of the Risk Management Policy - Risk Treatment
-
| Bezeichnung |
Standard |
|
OIS-09.01B
|
The risk treatment is prioritised corresponding to the level of cybersecurity risks associated with the cloud service.
This criterion applies only to risks that reside within the area of responsibility of the cloud service provider. Risks that arise for the cloud service customer when using the cloud service are not covered by this criterion. When outsourcing activities for the provision of cloud services to subservice organisations, the responsibility for these risks remains with the cloud service provider. Requirements for measures to manage these risks can be found in the criteria area 'Control and Monitoring of Service Providers and Suppliers (SSO)'.
Cloud service providers may leverage established risk management standards, such as ISO 27005 or the ISO 31000 family of standards to address risks related to the cloud service. Risk management procedures already implemented at the cloud service provider may be leveraged for OIS-09 where possible to reduce redundancies. Documentation of risks, treatment plans and risk acceptance in the sense of this criterion does not require specific formal frameworks; lean forms of documentation can be leveraged wherever appropriate to address the OIS-09 subcriteria.
The priorisation can, for example, be performed by setting appropriate time limits for the treatment of the risks.
|
|
OIS-09.02B
|
A risk treatment plan according to the risk assessment (cf. OIS-08) is documented and implemented.
This criterion applies only to risks that reside within the area of responsibility of the cloud service provider. Risks that arise for the cloud service customer when using the cloud service are not covered by this criterion. When outsourcing activities for the provision of cloud services to subservice organisations, the responsibility for these risks remains with the cloud service provider. Requirements for measures to manage these risks can be found in the criteria area 'Control and Monitoring of Service Providers and Suppliers (SSO)'.
Cloud service providers may leverage established risk management standards, such as ISO 27005 or the ISO 31000 family of standards to address risks related to the cloud service. Risk management procedures already implemented at the cloud service provider may be leveraged for OIS-09 where possible to reduce redundancies. Documentation of risks, treatment plans and risk acceptance in the sense of this criterion does not require specific formal frameworks; lean forms of documentation can be leveraged wherever appropriate to address the OIS-09 subcriteria.
|
|
OIS-09.03B
|
Actions defined in the risk treatment plan reduce the risk level to a residual risk that risk owners are able to accept.
This criterion applies only to risks that reside within the area of responsibility of the cloud service provider. Risks that arise for the cloud service customer when using the cloud service are not covered by this criterion. When outsourcing activities for the provision of cloud services to subservice organisations, the responsibility for these risks remains with the cloud service provider. Requirements for measures to manage these risks can be found in the criteria area 'Control and Monitoring of Service Providers and Suppliers (SSO)'.
Cloud service providers may leverage established risk management standards, such as ISO 27005 or the ISO 31000 family of standards to address risks related to the cloud service. Risk management procedures already implemented at the cloud service provider may be leveraged for OIS-09 where possible to reduce redundancies. Documentation of risks, treatment plans and risk acceptance in the sense of this criterion does not require specific formal frameworks; lean forms of documentation can be leveraged wherever appropriate to address the OIS-09 subcriteria.
|
|
OIS-09.04B
|
The risk treatment plan, as well as suitably summarised and abstracted versions, is provided to relevant internal parties.
This criterion applies only to risks that reside within the area of responsibility of the cloud service provider. Risks that arise for the cloud service customer when using the cloud service are not covered by this criterion. When outsourcing activities for the provision of cloud services to subservice organisations, the responsibility for these risks remains with the cloud service provider. Requirements for measures to manage these risks can be found in the criteria area 'Control and Monitoring of Service Providers and Suppliers (SSO)'.
Cloud service providers may leverage established risk management standards, such as ISO 27005 or the ISO 31000 family of standards to address risks related to the cloud service. Risk management procedures already implemented at the cloud service provider may be leveraged for OIS-09 where possible to reduce redundancies. Documentation of risks, treatment plans and risk acceptance in the sense of this criterion does not require specific formal frameworks; lean forms of documentation can be leveraged wherever appropriate to address the OIS-09 subcriteria.
|
|
OIS-09.05B
|
Based on contractual agreements and relevant legal and regulatory requirements, the cloud service provider determines which relevant external parties are provided with information, specific to the parties' purposes, about the risk treatment plan. The cloud service provider also determines the extent to which this should happen.
This criterion applies only to risks that reside within the area of responsibility of the cloud service provider. Risks that arise for the cloud service customer when using the cloud service are not covered by this criterion. When outsourcing activities for the provision of cloud services to subservice organisations, the responsibility for these risks remains with the cloud service provider. Requirements for measures to manage these risks can be found in the criteria area 'Control and Monitoring of Service Providers and Suppliers (SSO)'.
Cloud service providers may leverage established risk management standards, such as ISO 27005 or the ISO 31000 family of standards to address risks related to the cloud service. Risk management procedures already implemented at the cloud service provider may be leveraged for OIS-09 where possible to reduce redundancies. Documentation of risks, treatment plans and risk acceptance in the sense of this criterion does not require specific formal frameworks; lean forms of documentation can be leveraged wherever appropriate to address the OIS-09 subcriteria.
|
|
OIS-09.06B
|
The selected options for risk treatment are reviewed by the risk owners every time the risk assessment is modified. The review considers the criteria for risk acceptance and prioritisation of risk treatment.
This criterion applies only to risks that reside within the area of responsibility of the cloud service provider. Risks that arise for the cloud service customer when using the cloud service are not covered by this criterion. When outsourcing activities for the provision of cloud services to subservice organisations, the responsibility for these risks remains with the cloud service provider. Requirements for measures to manage these risks can be found in the criteria area 'Control and Monitoring of Service Providers and Suppliers (SSO)'.
Cloud service providers may leverage established risk management standards, such as ISO 27005 or the ISO 31000 family of standards to address risks related to the cloud service. Risk management procedures already implemented at the cloud service provider may be leveraged for OIS-09 where possible to reduce redundancies. Documentation of risks, treatment plans and risk acceptance in the sense of this criterion does not require specific formal frameworks; lean forms of documentation can be leveraged wherever appropriate to address the OIS-09 subcriteria.
Options for risk treatment may involve one or more of the following:
1. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
2. Taking or increasing the risk in order to pursue an opportunity;
3. Removing the risk source;
4. Changing the likelihood;
5. Changing the consequences;
6. Sharing the risk (e.g. through contracts, buying insurance); and
7. Retaining the risk by informed decision.
|
|
OIS-09.07B
|
In case of the cloud service provider sharing risks with the cloud service customers, the cloud service provider maps shared risks to complementary customer controls and describes them in the user documentation (cf. PSS-01).
This criterion applies only to risks that reside within the area of responsibility of the cloud service provider. Risks that arise for the cloud service customer when using the cloud service are not covered by this criterion. When outsourcing activities for the provision of cloud services to subservice organisations, the responsibility for these risks remains with the cloud service provider. Requirements for measures to manage these risks can be found in the criteria area 'Control and Monitoring of Service Providers and Suppliers (SSO)'.
Cloud service providers may leverage established risk management standards, such as ISO 27005 or the ISO 31000 family of standards to address risks related to the cloud service. Risk management procedures already implemented at the cloud service provider may be leveraged for OIS-09 where possible to reduce redundancies. Documentation of risks, treatment plans and risk acceptance in the sense of this criterion does not require specific formal frameworks; lean forms of documentation can be leveraged wherever appropriate to address the OIS-09 subcriteria.
Risks that the cloud service provider shares with the cloud service customer are described as part of the SSRM (cf. OIS-03).
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|