ISMS Compliance
CyFun BasicIdentify

ID.GV-4: Risk management processes

Governance and risk management processes address cybersecurity risks

IDENTIFYID.GV-4

Requirement

A comprehensive strategy to manage information security and cybersecurity risks shall be developed and updated when changes occur.

Our Implementation

A risk management process has been established to identify, assess, and treat cybersecurity risks:

  • Risk identification: Risks are identified through asset inventory review, vendor assessments, gap analysis, and operational monitoring
  • Risk scoring: Quantified scoring methodology using Probability (1–5) × Impact (1–5) × 100, with thresholds defined as Critical (above 1200), High (800–1200), Medium (400–799), Low (below 400)
  • Risk register: Documents 13 risks (RSK-001 through RSK-013) covering device encryption, access control, vendor management, DR planning, logging, incident response, training, patch management, and penetration testing — 12 with mitigation treatment, 1 accepted
  • Risk review: Risks are re-evaluated when system changes occur or new suppliers are added. An annual review cycle is being established

Gaps / Planned improvements:

  • Risk assessment triggered reactively rather than on a fixed schedule (NEX-366)
  • Annual review cycle not yet completed — first assessment March 2026 (NEX-386)
  • Risk appetite and tolerance thresholds not formally defined (NEX-366)

Evidence

Partially ImplementedL2 — Repeatable

ID.GV-3: Legal and regulatory requirements

Legal and regulatory requirements regarding cybersecurity are understood and managed

ID.RA-1: Vulnerability identification

Asset vulnerabilities are identified and documented

On this page

RequirementOur ImplementationEvidence