CAF Outcome A2.a: Risk Management Process
From the UK NCSC's Cyber Assessment Framework (version 3.1):
Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
A2.a: Risk Management Process to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| ID.GV-4 | Governance and risk management processes address cybersecurity risks |
| ID.RM-2 | Organizational risk tolerance is determined and clearly expressed |
| ID.RA-3 | Threats, both internal and external, are identified and documented |
| RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks |
| ID.RA-4 | Potential business impacts and likelihoods are identified |
| ID.RA-6 | Risk responses are identified and prioritized |
| ID.BE-2 | The organization’s place in critical infrastructure and its industry sector is identified and communicated |
| PR.IP-2 | A System Development Life Cycle to manage systems is implemented |
| ID.RM-3 | The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis |
| ID.RA-1 | Asset vulnerabilities are identified and documented |
| ID.RM-1 | Risk management processes are established, managed, and agreed to by organizational stakeholders |
| DE.AE-4 | Impact of events is determined |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Integrate physical, HSE and cyber security risk assessments (4.2.3.11)
ISA/IEC 62443-2-1:2009 -
Assess all the risks of changing the IACS (4.3.4.3.3)
ISA/IEC 62443-2-1:2009 -
Identify a detailed risk assessment methodology (4.2.3.8)
ISA/IEC 62443-2-1:2009 -
Conduct a detailed risk assessment (4.2.3.9)
ISA/IEC 62443-2-1:2009 -
Conduct risk assessments throughout the lifecycle of the IACs (4.2.3.12)
ISA/IEC 62443-2-1:2009 -
Define the scope of the CSMS (4.3.2.2.1)
ISA/IEC 62443-2-1:2009 -
Select a risk assessment methodology (4.2.3.1)
ISA/IEC 62443-2-1:2009 -
Conduct a high-level risk assessment (4.2.3.3)
ISA/IEC 62443-2-1:2009 -
Identify the reassessment frequency and triggering criteria (4.2.3.10)
ISA/IEC 62443-2-1:2009 -
Define the scope content (4.3.2.2.2)
ISA/IEC 62443-2-1:2009 -
Document the Risk Assessment (4.2.3.13)
ISA/IEC 62443-2-1:2009 -
Manage IACS risk on an ongoing basis (4.3.4.2.1)
ISA/IEC 62443-2-1:2009 -
Determine the organisations tolerance for risk (4.3.2.6.5)
ISA/IEC 62443-2-1:2009 -
Review risk tolerance (4.4.3.5)
ISA/IEC 62443-2-1:2009 -
Employ a common set of countermeasures (4.3.4.2.2)
ISA/IEC 62443-2-1:2009 -
Provide risk assessment background information (4.2.3.2)
ISA/IEC 62443-2-1:2009 -
Maintain vulnerability assessment records (4.2.3.14)
ISA/IEC 62443-2-1:2009 -
Monitor and evaluate industry CSMS strategies (4.4.3.6)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Information security in project management (6.1.5)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1656 | Impersonation | Defense Evasion |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |