3.2.4 Risk Reporting/ Monitoring, and Profiling
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
IT risks should be treated according to the defined treatment plans and should be effectively reviewed, monitored and reported.
Control Requirements
| 1. | IT risk assessment results should be formally documented and reported to the relevant business owners and senior management. | |
| 2. | IT risk assessment results should include risks, impact, likelihood, mitigations, and remediation status. | |
| 3. | IT risks should be monitored, including but not limited to: | |
| a. | tracking progress in accordance to the risk treatment plan; and | |
| b. | the selected and agreed IT controls are being implemented. | |
| 4. | The design and operating effectiveness of the revised or newly implemented IT controls should be monitored and reviewed periodically. | |
| 5. | The relevant business owners should accept the IT risk assessment results. | |
| 6. | IT risk assessment results should be endorsed by the risk committee. | |
| 7. | IT key risk indicators (KRIs) should be defined, implemented and monitored. | |
| 8. | IT risk profile and related data should be provided as an input to operational risk department to formulate an organization level risk profile. | |
| 9. | IT risk profile should be formulated and presented to the senior management, IT Steering Committee and board of directors on periodic basis. | |