SAMMY UI is optimized for resolutions with a width 1024px and higher.
NIS2
Browse NIS2
ID.RA: Risk Assessment
Asset Vulnerability Identification
ID.RA-01: Vulnerabilities in assets are identified, confirmed, and recorded.
  • 1. The information referred to in point 1 of measure ID.RA-08 is used to identify potential vulnerabilities in information and network systems.
  • 2. For at least the relevant information and network systems, in accordance with the vulnerability management plan under measure ID.RA-08, barring justified and documented normative or technical reasons, activities for identifying vulnerabilities, including at least vulnerability assessments and/or penetration tests, are carried out periodically and in any case before they are put into operation.
  • 3. The activities referred to in point 2 are documented through specific reports that contain at least: a) the general description of the activities carried out and their outcomes; b) the description of the detected vulnerabilities and their impact level on security.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Vulnerabilities in assets are identified, confirmed, and recorded.

Risk Exposure Determination and Prioritization
ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and to inform the prioritization of risk response.
  • 1. In accordance with the cybersecurity risk management plan as outlined in measure GV.RM-03, the risk assessment posed to the security of information and network systems is executed and documented, also considering possible dependencies on third-party suppliers and partners, including at least: a) risk identification; b) risk analysis; c) risk evaluation.
  • 2. The risk assessment referred to in point 1 is performed at planned intervals and at least every two years, as well as whenever significant incidents occur, organizational changes take place, or there are shifts in threat exposure and related risks.
  • 3. The risk assessment referred to in point 1 is approved by the administrative and executive bodies.
  • 4. The risk assessment referred to in point 1 is conducted considering at least internal and external threats, unresolved vulnerabilities, and impacts resulting from potential incidents.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and to inform the prioritization of risk response.

Risk Response Determination
ID.RA-06: Risk responses are chosen, prioritized, planned, monitored, and communicated.
  • Risk responses are chosen, prioritized, planned, monitored, and communicated.
  • 1. A risk treatment plan is defined, documented, executed, and monitored, which includes at least: a) the treatment options and measures to be implemented for the treatment of each identified risk and their relative priorities; b) the competent bodies for implementing the risk treatment measures and the timelines for their implementation; c) the description and reasons that justify the acceptance of any residual risks after treatment.
  • 2. If, for justified and documented normative or technical reasons, the requirements in Table 2 in the appendix to this annex are not implemented, compensatory mitigation measures are adopted where applicable, and the plan referred to in point 1 includes the description of these measures and any residual risk.
  • 3. The plan referred to in point 1, including the acceptance of any residual risks, is approved by the administrative and directive bodies.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Risk responses are chosen, prioritized, planned, monitored, and communicated.

Vulnerability Disclosure Response
ID.RA-08: Established processes for receiving, analyzing, and responding to vulnerability disclosures.
  • 1. At least the communication channels of CSIRT Italy, as well as any sectoral CERT and Information Sharing and Analysis Centre (ISAC), are monitored to acquire, analyze, and respond to information about vulnerabilities.
  • 2. Vulnerabilities, including those identified according to measure ID.RA-01, are promptly resolved through security updates or mitigation measures, where available, or by accepting and documenting the risk in accordance with the cyber risk treatment plan referred to in measure ID.RA-06.
  • 3. A vulnerability management plan is defined, implemented, updated, and documented, which includes at least: a) the methods for identifying vulnerabilities as per measure ID.RA-01 and the planning of related activities; b) the methods for monitoring, receiving, analyzing, and responding to information about vulnerabilities; c) the procedures, roles, and responsibilities for carrying out the activities mentioned in points a) and b).
  • 4. The plan referred to in point 3 is approved by the administrative and managerial bodies.
  • 5. For the purposes mentioned in point 1, the channels of suppliers of software deemed critical are also monitored.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Established processes for receiving, analyzing, and responding to vulnerability disclosures.