last sync: 2023-Jun-02 17:44:47 UTC

Azure Policy definition

Implement the risk management strategy

Name Implement the risk management strategy
Azure Portal
Id c6fe3856-4635-36b6-983c-070da12a953b
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_C1744 - Implement the risk management strategy
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 20 compliance controls are associated with this Policy definition 'Implement the risk management strategy' (c6fe3856-4635-36b6-983c-070da12a953b)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 0121.05a2Organizational.12-05.a hipaa-0121.05a2Organizational.12-05.a 0121.05a2Organizational.12-05.a 01 Information Protection Program 0121.05a2Organizational.12-05.a 05.01 Internal Organization Shared n/a The organization's information protection and risk management programs, including the risk assessment process, are formally approved, and are reviewed for effectiveness and updated annually. 6
hipaa 17126.03c1System.6-03.c hipaa-17126.03c1System.6-03.c 17126.03c1System.6-03.c 17 Risk Management 17126.03c1System.6-03.c 03.01 Risk Management Program Shared n/a The organization has implemented an integrated control system characterized using different control types (e.g., layered, preventative, detective, corrective, and compensating) that mitigates identified risks. 3
hipaa 1792.10a2Organizational.7814-10.a hipaa-1792.10a2Organizational.7814-10.a 1792.10a2Organizational.7814-10.a 17 Risk Management 1792.10a2Organizational.7814-10.a 10.01 Security Requirements of Information Systems Shared n/a Information security risk management is integrated into the SDLC, and information security roles and responsibilities are defined for all SDLC phases. 4
ISO27001-2013 C.6.1.1.a ISO27001-2013_C.6.1.1.a ISO 27001:2013 C.6.1.1.a Planning General Shared n/a When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: a) ensure the information security management system can achieve its intended outcome(s). link 3
ISO27001-2013 C.6.1.1.b ISO27001-2013_C.6.1.1.b ISO 27001:2013 C.6.1.1.b Planning General Shared n/a When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: b) prevent, or reduce, undesired effects. link 3
ISO27001-2013 C.6.1.1.c ISO27001-2013_C.6.1.1.c ISO 27001:2013 C.6.1.1.c Planning General Shared n/a When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: c) achieve continual improvement. link 3
ISO27001-2013 C.6.1.1.d ISO27001-2013_C.6.1.1.d ISO 27001:2013 C.6.1.1.d Planning General Shared n/a When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed. The organization shall plan: d) actions to address these risks and opportunities. link 3
ISO27001-2013 C.6.1.1.e.1 ISO27001-2013_C.6.1.1.e.1 ISO 27001:2013 C.6.1.1.e.1 Planning General Shared n/a When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed. The organization shall plan: e) how to - 1) integrate and implement the actions into its information security management system processes. link 3
ISO27001-2013 C.6.1.1.e.2 ISO27001-2013_C.6.1.1.e.2 ISO 27001:2013 C.6.1.1.e.2 Planning General Shared n/a When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed. The organization shall plan: e) how to - 2) evaluate the effectiveness of these actions. link 3
ISO27001-2013 C.6.1.2.a.1 ISO27001-2013_C.6.1.2.a.1 ISO 27001:2013 C.6.1.2.a.1 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: a) establishes and maintains information security risk criteria that include: - 1) the risk acceptance criteria. The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.a.2 ISO27001-2013_C.6.1.2.a.2 ISO 27001:2013 C.6.1.2.a.2 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: a) establishes and maintains information security risk criteria that include: - 2) criteria for performing information security risk assessments. The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.b ISO27001-2013_C.6.1.2.b ISO 27001:2013 C.6.1.2.b Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: b) ensures that repeated information security risk assessments produce consistent, valid and comparable results. The organization shall retain documented information about the information security risk assessment process. link 1
ISO27001-2013 C.6.1.2.c.1 ISO27001-2013_C.6.1.2.c.1 ISO 27001:2013 C.6.1.2.c.1 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: c) identifies the information security risks: - 1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system. The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.c.2 ISO27001-2013_C.6.1.2.c.2 ISO 27001:2013 C.6.1.2.c.2 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: c) identifies the information security risks: - 2) identify the risk owners. The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.d.1 ISO27001-2013_C.6.1.2.d.1 ISO 27001:2013 C.6.1.2.d.1 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: d) analyses the information security risks: - 1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize. The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.d.2 ISO27001-2013_C.6.1.2.d.2 ISO 27001:2013 C.6.1.2.d.2 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: d) analyses the information security risks: - 2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1). The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.d.3 ISO27001-2013_C.6.1.2.d.3 ISO 27001:2013 C.6.1.2.d.3 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: d) analyses the information security risks: - 3) determine the levels of risk. The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.e.1 ISO27001-2013_C.6.1.2.e.1 ISO 27001:2013 C.6.1.2.e.1 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: e) evaluates the information security risks: - 1) compare the results of risk analysis with the risk criteria established in 6.1.2 a). The organization shall retain documented information about the information security risk assessment process. link 2
ISO27001-2013 C.6.1.2.e.2 ISO27001-2013_C.6.1.2.e.2 ISO 27001:2013 C.6.1.2.e.2 Planning Information security risk assessment Shared n/a The organization shall define and apply an information security risk assessment process that: e) evaluates the information security risks: - 2) prioritize the analysed risks for risk treatment. The organization shall retain documented information about the information security risk assessment process. link 2
SWIFT_CSCF_v2022 7.4A SWIFT_CSCF_v2022_7.4A SWIFT CSCF v2022 7.4A 7. Plan for Incident Response and Information Sharing Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. Shared n/a Scenario-based risk assessments are conducted regularly to improve incident response preparedness and to increase the maturity of the organisation’s security programme. link 7
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add c6fe3856-4635-36b6-983c-070da12a953b
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON