Requirement:
The cybersecurity risk assessment procedures must be implemented at least in the following cases:
Sub-Controls:
1-5-3-1:
Requirement:
Early stages of technology projects
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Include cybersecurity requirements within the first phase of the information and technology projects lifecycle (Technical Project Lifecycle) within the organization
- Implement cybersecurity risk assessment procedures at an early stage of technical projects to avoid events or circumstances that could compromise the confidentiality, integrity, and availability of information and technology assets, including, in particular, the identification of information and technology assets in technology projects, potential exposure to threats, and relevant vulnerabilities.
- Remediate all cybersecurity risks in accordance with the approved cybersecurity risk management methodology.
Expected Deliverables:
- A report that outlines the identification, assessment, and remediation of cybersecurity risks throughout the technical project lifecycle in the organization
1-5-3-2:
Requirement:
Before making major changes to technology infrastructure.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Include cybersecurity requirements within the IT Change Management lifecycle in the organization
- Implement cybersecurity risk assessment procedures before making a material change in the technology architecture to avoid events or circumstances that could compromise the confidentiality, integrity, and availability of information and technology assets, including, in particular, the identification of information and technology assets in technology projects, potential exposure to threats, and relevant vulnerabilities. These changes include, but are not limited to: a basic and sensitive update to one or several systems in the network, such as database systems, or a radical change in network mapping
- Remediate all cybersecurity risks in accordance with the approved cybersecurity risk management methodology
Expected Deliverables:
- A report that outlines the identification, assessment, and remediation of the cybersecurity risks of material changes to the production environment of the organization's information and technology assets
1-5-3-3:
Requirement:
During the planning phase of obtaining third party services.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Include cybersecurity requirements within the third-party, contracts, and procurement management procedures in the organization
- Implement cybersecurity risk assessment procedures when planning to acquire services from a third party. to avoid events or circumstances that could compromise the confidentiality, integrity, and availability of information and technology assets, including, in particular, the identification of information and technology assets in technology projects, potential exposure to threats, and relevant vulnerabilities
- Remediate all cybersecurity risks in accordance with the approved cybersecurity risk management methodology.
Expected Deliverables:
- A report that outlines the identification, assessment, and remediation of third-party cybersecurity risks that provide outsourcing services to IT or managed services
1-5-3-4:
Requirement:
During the planning phase and before going live for new technology services and products.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Include cybersecurity requirements within the Release Management procedures in the organization
- Implement cybersecurity risk assessment procedures at the planning stage and before the release of new technology products and services to avoid events or circumstances that could compromise the confidentiality, integrity, and availability of information and technology assets, including, in particular, the identification of information and technology assets in technology projects, potential exposure to threats, and relevant vulnerabilities.
- Remediate all cybersecurity risks in accordance with the approved cybersecurity risk management methodology.
Expected Deliverables:
- A report that outlines the identification, assessment, and remediation of cybersecurity risks in the planning stage and before releasing new technical products and services in the production environment
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.