All Collections
Controls Framework
Framework Changes - Clients - August 2022
Framework Changes - Clients - August 2022
Kian avatar
Written by Kian
Updated over a week ago

On 31st August 2022, we made some changes to the standardised controls framework within Risk Ledger.

We do this bi-annually so that the framework stays relevant, useful and practical for all users of the Risk Ledger platform.

All changes are handled automatically within the platform and marked clearly with a full audit history kept within your activity feed.

This page gives you a summary of the changes. If you’d like to see a detailed comparison between the previous version of the framework and the updated version, please send us a message and we can provide in spreadsheet format.

As a client, what do you need to do?

You do not need to do anything straight away. You can continue using Risk Ledger in exactly the same way as before.

To ensure you are making the most of the changes, you may wish to do the following:

  • Define your policy requirements for the new controls added,

  • Review the wording updates to check whether you'd like to open a discussion with suppliers about any of the updated controls,

  • Engage with your suppliers who haven't yet answered the new control questions. Suppliers will be required to answer the new control questions during their 6-monthly re-assessment. If you’d like them to provide answers before this date, you will need to prompt them by sending a discussion.

Initially, you may notice a very small increase in compliance scores for your suppliers. This is because the new controls will default to 'Not required' in your policies until you choose otherwise.

What’s changing?

New Controls

There have been 11 new controls added to the framework. This is resulting from global user feedback and updates to industry standards. For this review, we have taken the recent release of ISO 27002:2022 into consideration. The new controls cover:

  • Threat Intelligence

  • Privileged Access Management

  • Data Protection (3 new controls)

  • Insurance policies (6 new controls, nested)

The Data Protection domain has been updated so that it is relevant and useful to all organisations, regardless of their location or jurisdiction. Some controls have been removed and replaced by others. We have also added the ability for organisations to multi-select which countries / regions of the world they store or transfer personal data to.

Updated Wording

There have been changes made to the wording of 26 controls to make them clearer and more meaningful.

These have minimal impact to the ultimate meaning of the controls, but you may wish to check that you're still happy with your corresponding answers, notes and evidence.

For some controls, suppliers need to confirm that their answers are still applicable. This is marked clearly within the platform.

Restructuring

The order of domains has been changed to help improve the experience of suppliers completing their profile for the first time.

The controls relating to Cyber Insurance have been moved from the Business Resilience domain to the Financial Risk domain, alongside the new insurance controls.

👉 Click here to find out what this means for suppliers.

Did this answer your question?