CISOBot - Your AI CISO Assistant

RSK-02

Risk-Based Security Categorization

Weight: 9/10

Description

Mechanisms exist to categorize Technology Assets, Applications, Services and/or Data (TAASD) in accordance with applicable laws, regulations and contractual obligations that: (1) Document the security categorization results (including supporting rationale) in the security plan for systems; and (2) Ensure the security categorization decision is reviewed and approved by the asset owner.

Control Question

Does the organization categorize Technology Assets, Applications, Services and/or Data (TAASD) in accordance with applicable laws, regulations and contractual obligations that: (1) Document the security categorization results (including supporting rationale) in the security plan for systems; and (2) Ensure the security categorization decision is reviewed and approved by the asset owner?

Control Metadata

Domain:

Risk Management

Validation Cadence:

Annual

Evidence Request List:

E-RSK-01 E-RSK-04 E-BCM-08 E-TPM-02

Framework Mappings

This control maps to the following compliance frameworks

MAS TRM

4.2.1

HKIA GL20

1.11.21.31.41.52.12.22.3

Have questions about this control?

Ask CISOBot for implementation guidance and best practices