Cybersecurity Risk Management from ASPICE Cybersecurity framework

SAMMY works best on screens 1024px wide or larger.

MAN.7: Cybersecurity Risk Management

MAN.7: 1) The item is defined including its functions and boundaries

BP1: Identify cybersecurity risk management scope. Identify and regularly update the cybersecurity risk management scope including the item, its functions and its boundaries with affected parties.

Description

The purpose is to regularly identify, analyze, prioritize, and monitor risks of damage to relevant stakeholders

MAN.7: 2) Relevant assets, threats and damage scenarios are identified and regularly updated.

BP2: Identify cybersecurity events. Identify and regularly evaluate cybersecurity information and derive potential cybersecurity events. Update the relevant assets, damage and threat scenarios with affected parties.

Description

The purpose is to regularly identify, analyze, prioritize, and monitor risks of damage to relevant stakeholders

MAN.7: 3) Cybersecurity risks are analyzed based on impact rating and attack feasibility rating in order to support prioritization for the treatment of risks.

BP3: Analyze risks. Analyze and determine the risk of the potential cybersecurity events based on the impact they may have and based on the feasibility of an attack path to be exploited in order to support prioritization for the treatment of risks

Description

The purpose is to regularly identify, analyze, prioritize, and monitor risks of damage to relevant stakeholders

MAN.7: 4) The status of risk and the progress of the risk treatment activities is determined.

BP4: Define risk treatment options. For each risk select a treatment option to retain, reduce, avoid, or transfer (share) the risk.

Description

The purpose is to regularly identify, analyze, prioritize, and monitor risks of damage to relevant stakeholders

MAN.7: 5) Appropriate treatment is taken to mitigate the impact of risk based on its priority, likelihood, and consequence or other defined risk threshold.

BP5: Define and perform risk treatment activities. Define and perform risk activities for risk treatment options.
BP6: Monitor risks. Regularly re-evaluate the risks related to the identified potential cybersecurity events to determine changes in the status of the cybersecurity risks, re-evaluate the risk treatment options and review the progress of the risk treatment activities.
BP7: Take corrective action. When risk treatment activities are not effective, take appropriate corrective action.

Description

The purpose is to regularly identify, analyze, prioritize, and monitor risks of damage to relevant stakeholders