3.2.2 Risk Identification and Analysis
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
Information assets should be identified, recorded and maintained to gather information about related threats, existing controls and associated risks should be analyzed based on their likelihood of occurrences and resulting impact.
Control Requirements
| 1. | IT risk identification should be performed, documented and periodically updated in the formal centralized risk register. | |
| 2. | IT risk register should be regularly updated. | |
| 3. | IT risk analysis should address the following, but not limited to: | |
| a. | information asset description and classification; | |
| b. | potential threat(s) to the information asset; | |
| c. | impact and likelihood; | |
| d. | existing IT controls; | |
| e. | risk owner (business or process owner); | |
| f. | implementation owner (control owner); and | |
| g. | inherent as well as residual risks related to the information assets. | |