Feedback would not be provided for the initial risk assessment submission. Many organisations were observed to have the same problems in their initial risk assessment submissions (i.e. risk assessment reports submitted within the first 6 months of CII designation). These common problems are highlighted in the risk assessment guidance document and serve as a general feedback to all organisations:
(i) Poor articulation of risk scenarios;
(ii) Identification of risks using a compliance-oriented approach;
(iii) Absence of risk tolerance;
(iv) Determining risk likelihood based on historical or expected occurrences; and
(v) Treating risks with irrelevant controls/measures.
Organisations should expect individual feedback in their subsequent risk assessment submissions.
