Home · Synthesis · cl-risk-assessment

Cyber risk assessment — technology, process, people, third-party, supply chain, post-quantum

ISO 27001 NIST CSF 2.0 RBI ITGRCA SEBI CSCRF CIS Controls v8.1 IRDAI 2026 ISO 27701 NCIIPC NIS2 NIST 800-53 RBI CSF SOC 2

Primary statement

Cyber risk assessment operates as a comprehensive periodic process covering: (1) technology risks, process risks, people risks, third-party risks (SEBI ID.3); (2) post-quantum cryptography risk explicitly included (SEBI ID.3 — mid-2026 emerging mandate); (3) supply chain risk integrated into enterprise risk (NIST GV.SC-03); (4) event-to-incident categorisation (ISO A.5.25); (5) personnel background screening as a control informed by risk (ISO A.6.1); (6) critical-function risk consideration for post-incident norms (NIST RC.RP-04).

Audit-fatigue payoff

A unified risk assessment programme — technology + process + people + third-party + PQC + supply chain — satisfies risk assessment requirements across all 12 contributing frameworks. One risk register + one PQC assessment + one supply-chain integration document answers all framework questions on cyber risk identification and prioritisation.

Strictness matrix

Scope

Scope: technology + process + people + third-party + post-quantum cryptography risks. Five categories explicit. PQC is the 2024–26 emerging mandate that other frameworks have not yet articulated. Ceiling source: sebi_cscrf:CSCRF.ID.3 Rationale: SEBI CSCRF ID.3 specifies the broadest risk assessment scope, uniquely including PQC. Other frameworks address subsets.

Threshold

Threshold for supply chain risk integration: cybersecurity supply chain risk shall be integrated into cybersecurity AND enterprise risk management — not assessed separately. This integration threshold ensures supply chain risk is prioritised against other enterprise risks. Ceiling source: nist_csf:GV.SC-03 Rationale: NIST CSF GV.SC-03 sets the integration threshold most explicitly. Standalone supply chain assessment fails the integration test.

Method

Method: (1) documented risk assessment methodology covering identification, analysis, evaluation, prioritisation, treatment; (2) coverage of technology / process / people / third-party / PQC risks; (3) integration with enterprise risk per NIST GV.SC-03; (4) event-to-incident categorisation (ISO A.5.25) feeding back to risk register; (5) personnel screening informed by role risk (ISO A.6.1); (6) periodic re-assessment with documented changes; (7) Board reporting and risk-appetite alignment. Ceiling source: sebi_cscrf:CSCRF.ID.3 Rationale: SEBI CSCRF ID.3 combined with NIST GV.SC-03 supply chain integration provides the most prescriptive method. The PQC inclusion is uniquely strict.

Frequency

Risk assessment cadence: at defined frequency per SEBI ID.3 (annual minimum + on material change). PQC risk re-assessment: annual minimum given the evolving PQC standards landscape (NIST PQC FIPS 203/204/205 published 2024). Supply chain risk review: integrated with enterprise risk cycle (typically annual with quarterly updates). Ceiling source: sebi_cscrf:CSCRF.ID.3 Rationale: SEBI CSCRF ID.3 sets the cadence with "defined frequency" language; annual is the operational floor. PQC re-assessment annually is the audit-defensible cadence given current standards velocity.

Evidence

Required evidence: (1) risk assessment methodology document; (2) risk register with technology / process / people / third-party / PQC risks; (3) supply chain risk integration evidence; (4) PQC risk assessment with prioritised high-risk assets; (5) Board reporting of top risks; (6) treatment plans with owners and timelines; (7) periodic re-assessment evidence. Ceiling source: sebi_cscrf:CSCRF.ID.3 Rationale: SEBI CSCRF ID.3 evidence list is the most comprehensive, particularly on PQC. Other frameworks address subsets.

Auditor test pattern

Step 1: Inspect the risk assessment methodology. Step 2: Verify the risk register covers all five categories (technology / process / people / third-party / PQC). Step 3: Inspect the PQC risk assessment; verify high-risk assets identified and migration plan documented. Step 4: Verify supply chain risk is integrated into enterprise risk (not separately tracked). Step 5: Sample 3 risks and verify treatment plans with owners and timelines. Step 6: Verify Board reporting of top risks.

Common findings

Common 2024–26 findings: (1) PQC risk assessment never performed; (2) Risk register covers technology only — process / people / third-party addressed informally; (3) Supply chain risk assessed separately, not integrated into enterprise risk; (4) Risk treatment plans without owners or timelines; (5) Top risks listed but not prioritised against risk appetite; (6) Annual re-assessment not performed; risk register stale.