Within All Government Websites
Frequently Asked Questions
All of these words
This exact phrase
Any of these words
Without these words
Whole of Government
Top 5 Most Popular FAQs
Cybersecurity Risk Assessment for CII
The Security-by-Design (SBD) Framework mentions the need to perform Threat & Risk Assessment (TRA) in the initiation phase of a project lifecycle. Should my organisation reference the risk assessment guidance document when performing such TRA?
The practices prescribed in the risk assessment guidance document (i.e. the Guide to Conducting Cybersecurity Risk Assessment for CII) are applicable for all cybersecurity risk assessments. Organisations are strongly encouraged to reference the risk assessment guidance document when performing TRAs.
Should my organisation use a 5-by-5 risk matrix (i.e. a scale between 1 and 5 for both likelihood and impact) stipulated in the risk assessment guidance document to determine risk levels?
Organisations are strongly encouraged to use a scale of between 1 and 5 to determine both likelihood and impact when assessing cybersecurity risks. By doing so, organisations can aid CSA in aggregating and viewing cybersecurity risks at the national level consistently. This enables CSA to identify and alert organisations of any systemic risks (at both sectoral and national level) which they could be exposed to.
Can the risk assessment guidance document be shared with service providers whom my organisation has engaged to perform risk assessments?
The Guide to Conducting Cybersecurity Risk Assessment for CII is publicly available for anyone interested in adopting the good practices of conducting a cybersecurity risk assessment. An e-version of this risk assessment guidance document can be downloaded from CSA’s website (
My organisation is currently using a better risk assessment methodology than the one provided in the risk assessment guidance. Are we still required to follow the prescribed methodology in CSA’s risk assessment guidance?
Organisations are encouraged to share their risk assessment methodologies with CSA so that we can assess its suitability and consider incorporating the relevant components into the next version of the risk assessment guidance document.
The NIST 800-30 publication, a recommended resource for threat scenarios, includes physical threats. Is my organisation required to include such scenarios in the risk assessments?
CSA will focus on reviewing cybersecurity-related risks. As such, organisations should place emphasis on identifying risk scenarios (i.e. “what could go wrong” events) that relate to cybersecurity threats. Organisations may include risk scenarios relating to physical threats such as natural disasters and hardware failure.
If you are unable to find an answer to your query, please submit your
to let us know how we can help you.
Rate this Website
© 2019, Government of Singapore