Description
The organization updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system.
Supplemental Guidance
The organization develops and documents specific criteria for what is considered significant change to the information system. NIST Special Publication 800-30 provides guidance on conducting risk assessment updates.
Enhancements
(0) None.
Compliance Mappings
ISO 42001:2023
A.2.4A.5.2
ANSSI
Hygiene.36Hygiene.41SecNumCloud.7.2
FINMA Circular 2023/1
IV.B.c(54)IV.B.c(55)
OSFI B-13
B-13.1.3B-13.1.4
EU GDPR
Art.32(1)(d)Art.35(11)
EU DORA
Art.6(4)Art.6(5)
LGPD + BCB 4893
BCB.Art.18BCB.Art.19
HKMA TM-E-1
TME1.2.3
CBB TM
TM-4
CBUAE
CR-2
CBE CSF
CRM-1
SA JS2
JS2-6.2
CBN CSF
Part2.1Part2.2
BoG CISD
CISD-III
BoM CTRM
1.42.1
IOSCO Cyber Resilience
LE-2
EBA ICT Guidelines
3.3.5
CMMC 2.0
RA
FCA SYSC 13
SYSC 13.5.3
ISO 17799 (legacy)
4.1
COBIT 4.1 (legacy)
PO9.4