Standardised approach to Cyber Risk Management

Cyber risk management, also named cybersecurity risk management, is the process of identifying, prioritizing, managing, and monitoring risks to information systems. Companies across industries use cyber risk management to protect information systems from cyberattacks and other digital and physical threats.

  1. ISO 31000
  2.  ISO 27001
  3. ISO 27005
  4. NIST (RMF)
  5. National or Sector specific frameworks

From an Enterprise perspective ISO 31000 formalises the following enterprise risk management (ERM) approach:

1 Context Establishment

 2 Risk assessment    

2.1 Risk Identification

2.2 Risk Analysis

2.3 Risk Evaluation

3 Risk Treatment    

Above steps have a relationship with 

4 Communication and Consultation

5 Monitoring and Review

For Cyber security, in line with ISO 27001 a more focused standard is available.

 

According to ISO 27005:2022 the information security risk management process consists of

1 Context establishment (Clause 7)

2 Risk assessment (Clause 8)

    When assessment is not satisfactory then the process returns back to context establishment, otherwise continues to

3 Risk treatment (Clause 9)

    When treatment is not satisfactory then the process also returns back to context establishment, otherwise continues to

4 Risk acceptance (Clause 10)

5 Risk communication consultation (Clause 11), 6 and Risk monitoring and review (Clause 12).

 

See below.


Here are some national and sector specific frameworks are presented.

Currently only Belgium and Dutch specifics.

  1. BE CyberFundamentals Framework

  2. NL Basismaatregelen cybersecurity

  3. NLEducationalinstituteframework

This is impressive work from ccb.be .

  • Q1 Are you in scope?
  • Q2 Have you registered your Belgium business entity in the Safeonweb environment?
  • Q3 Are you able to report on significant Cyber incidents?
  • Q4 Have you determined your CyberFundamentals assurance level?
  • Q5 Have you planned your cybersecurity training?
  • Q6 Have you implemented security measures?
  • Q7 Have you had your security reviewed?

 

TrustMatters proposes various services enabling you to reach your desired assurance level.

The Dutch ncsc.nl proposes:

Basic cybersecurity measures
These basic measures should be taken by every organization to prevent cyberattacks. Recent digital incidents have also shown that companies and organizations are vulnerable if these measures are not taken.

  • Set up risk management
  • Apply strong authentication
  • Determine who has access to your data and services
  • Reduce the attack surface
  • Use encryption
  • Protect your organization from data loss
  • Set up patch management
  • Centralize and analyze log information

 

Remark: Yes TrustMatters can support you in setting up Cyber Risk Management

Surf.nl has based its approach on the Dutch BIS, which itself recognises ISO 27001/2.

These notes are being referred to.

Cyber risk management and configuration management is getting emphasis.

Surf provides support including tools to bring dutch educational institutes towards maturitylevel 3.

This includes determination of current "as-is" situtation and improving processes to obtain compliance to the cSURF security baseline.

The asset management category from SURF security baseline also describes what you can set up as an organization.

The link between risk management for information security and ERM is not yet common practice at educational and research institutions.

This is where TrustMatters provides relevant services.




  • We collect your requests for information here: Visit Link
Cookies user preferences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Unknown
Unknown
Accept
Decline
Marketing
Set of techniques which have for object the commercial strategy and in particular the market study.
Quantcast
Accept
Decline
Save