3.2.2 Risk Identification and Analysis
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 | Status: In-Force |
Principle
Information assets should be identified, recorded and maintained to gather information about related threats, existing controls and associated risks should be analyzed based on their likelihood of occurrences and resulting impact.
Control Requirements
| 1. | IT risk identification should be performed, documented and periodically updated in the formal centralized risk register. | |
| 2. | IT risk register should be regularly updated. | |
| 3. | IT risk analysis should address the following, but not limited to: | |
| a. | information asset description and classification; | |
| b. | potential threat(s) to the information asset; | |
| c. | impact and likelihood; | |
| d. | existing IT controls; | |
| e. | risk owner (business or process owner); | |
| f. | implementation owner (control owner); and | |
| g. | inherent as well as residual risks related to the information assets. | |