Risk management and compliance involve assessing, managing, and mitigating cybersecurity risks while ensuring compliance with relevant regulations and industry standards such as GDPR, HIPAA, or PCI-DSS. This sector focuses on identifying potential threats to the organisation’s cybersecurity and implementing strategies to address them effectively. The goal is to not only reduce the likelihood of security breaches but also to ensure that the organisation adheres to regulatory requirements that protect data privacy and security. By developing a robust risk management strategy and maintaining compliance, businesses can safeguard their operations, avoid legal consequences, and preserve their reputation.

———————————————————————————————————

Level 1 Certification

———————————————————————————————————

Measure 12.1: Perform Basic Risk Assessments

Does your enterprise conduct basic risk assessments to identify potential cybersecurity risks and threats to your systems and data?
Example: Conduct an annual risk assessment to identify and document potential vulnerabilities in your network, systems, and data, and prioritise which risks need immediate attention.

Measure 12.2: Understand Relevant Regulations

Does your enterprise have a basic understanding of any relevant cybersecurity regulations and standards (e.g., GDPR, PCI-DSS) that apply to your business?
Example: Familiarise yourself with the basics of GDPR and any industry-specific regulations that apply to your business to ensure you are aware of compliance requirements.

Measure 12.3: Create Basic Compliance Documentation

Does your enterprise maintain documentation of compliance practices, including steps taken to ensure compliance with relevant regulations?
Example: Maintain a simple record of compliance activities, such as data handling processes, and ensure employees are aware of the company’s commitment to regulatory requirements like GDPR.

Measure 12.4: Identify and Address Critical Risks

Does your enterprise have a process in place to identify critical risks that could significantly impact your operations and take steps to address them?
Example: Develop a plan to mitigate risks such as data loss, unauthorised access, or malware attacks, and implement basic measures to reduce those risks (e.g., regular software updates, employee training).

———————————————————————————————————

Level 2 Certificaton

To achieve Level 2: Level 1 must also be achieved.

———————————————————————————————————

Measure 12.5: Conduct Regular Risk Assessments and Reviews

Does your enterprise perform more detailed and regular risk assessments to proactively manage potential cybersecurity risks and evaluate existing mitigation strategies?
Example: Perform quarterly risk assessments to ensure that your enterprise is regularly identifying emerging threats and adjusting mitigation strategies accordingly.

Measure 12.6: Implement a Formal Risk Management Framework

Does your enterprise have a formal risk management framework in place to identify, assess, and mitigate risks across all aspects of your business?
Example: Implement a framework such as ISO 27001, NIST, or any relevant risk management methodology to structure how risks are identified, assessed, and managed across the organisation.

Measure 12.7: Develop a Compliance Management Program

Does your enterprise have a formal program to ensure compliance with relevant regulations and industry standards?
Example: Designate a compliance officer to manage the ongoing monitoring of compliance with relevant regulations like GDPR or PCI-DSS and maintain documentation of compliance efforts.

Measure 12.8: Train Employees on Risk Management and Compliance

Does your enterprise provide regular training to employees on cybersecurity risks, compliance regulations, and best practices for ensuring compliance?
Example: Conduct annual compliance training sessions for all employees to ensure that they understand the importance of risk management, relevant regulations, and how to protect sensitive data.

Measure 12.9: Conduct Vendor Risk Assessments

Does your enterprise assess the risks posed by third-party vendors and partners, particularly those who handle sensitive data?
Example: Implement a vendor risk assessment process that evaluates third-party service providers for their security practices, compliance with regulations, and their ability to meet your organisation’s risk management requirements.

———————————————————————————————————

Level 3 Certificaton

To achieve Level 3: Level 2 and Level 1 must also be achieved.

———————————————————————————————————

Measure 12.10: Establish a Formal Risk Management Department

Does your enterprise have a dedicated risk management department or team responsible for overseeing the company’s entire cybersecurity risk management strategy?
Example: Set up a risk management team responsible for conducting ongoing risk assessments, creating and enforcing policies, and reporting on the organisation’s risk posture to senior leadership.

Measure 12.11: Integrate Risk Management with Business Strategy

Does your enterprise integrate risk management into its broader business strategy to ensure that risk considerations are a part of key business decisions?
Example: Incorporate risk assessments into the decision-making process for new business initiatives, ensuring that cybersecurity risks are considered alongside financial and operational factors.

Measure 12.12: Use Advanced Risk Management Tools

Does your enterprise use advanced risk management tools and software to monitor, analyse, and mitigate risks in real time?
Example: Use risk management software such as RSA Archer or LogicManager to automate the identification, assessment, and tracking of risks across your enterprise, enabling more efficient and proactive risk management.

Measure 12.13: Conduct Regular Internal and External Audits

Does your enterprise perform both internal and external audits of its cybersecurity practices to ensure that risk management and compliance efforts are being met effectively?
Example: Schedule annual internal audits of your risk management framework, and hire an external auditor to conduct an independent review of your compliance with relevant regulations such as GDPR and HIPAA.

———————————————————————————————————