On 31st August 2022, we made some changes to the standardised controls framework within Risk Ledger.
We do this bi-annually so that the framework stays relevant, useful and practical for all users of the Risk Ledger platform.
All changes are handled automatically within the platform and marked clearly with a full audit history kept within your activity feed.
This page gives you a summary of the changes.
As a supplier, what do you need to do?
If you have already submitted your assessment and your profile is up to date, you do not have to make any changes until your next 6 monthly re-assessment is due or one of your clients asks you to complete a new control question or update an answer.
You will need to answer the new control questions before you can submit your next re-assessment.
If you have not yet submitted your assessment, you will need to answer the new control questions before you submit.
You will also need to review your answers to the control questions where wording has been updated to re-confirm that you are happy with your answer.
What’s changing?
New Controls
There have been 11 new controls added to the framework. This is resulting from global user feedback and updates to industry standards. For this review, we have taken the recent release of ISO 27002:2022 into consideration. The new controls cover:
Threat Intelligence
Privileged Access Management
Data Protection (3 new controls)
Insurance policies (6 new controls, nested)
The Data Protection domain has been updated so that it is relevant and useful to all organisations, regardless of their location or jurisdiction. Some controls have been removed and replaced by others. We have also added the ability for organisations to multi-select which countries / regions of the world they store or transfer personal data to.
Updated Wording
There have been changes made to the wording of 26 controls to make them clearer and more meaningful.
These have minimal impact to the ultimate meaning of the controls, but you may wish to check that you're still happy with your corresponding answers, notes and evidence.
For some controls, suppliers will need to confirm that their answers are still applicable. This is marked clearly within the platform.
Restructuring
The order of domains has been changed to help improve the experience of suppliers completing their profile for the first time.
The controls relating to Cyber Insurance have been moved from the Business Resilience domain to the Financial Risk domain, alongside the new insurance controls.