Cyber risk identification activities are performed periodically and according to defined triggers, such as system changes and external events
Context and Guidance: Cyber risks that can affect IT, OT, and information assets must be identified and addressed in order to actively manage the resilience of those assets and, more important, the services to which the assets are connected. The organisation may use a structured risk assessment method to identify these risks according to triggers such as system changes and external events as established in the risk management strategy. Risk assessments provide the necessary information to determine if identified risks are within the risk tolerances of the organisation. Assessments also take existing mitigations and protections into account as part of the process. Risks identified via assessments should be added to the risk register, as recommended in RISK-2e.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RISK-2a, RISK-2b, RISK-2c, RISK-2g, RISK-2h, RISK-2i, RISK-2j, RISK-2k, RISK-2l, RISK-2m.