On 23rd September 2024, we made some changes to the standardised control framework within Risk Ledger.
We do this periodically to ensure the framework stays relevant, useful, and practical for all users of the Risk Ledger platform.
All changes have been automatically implemented within the platform and are clearly marked, with a full audit history kept within your activity feed.
This page provides you with a summary of the changes that have been made. If you'd like to see the exact changes in detail, please send us a message and we can provide this information in spreadsheet format.
As a client, what do you need to do?
There is nothing you need to do immediately. You can continue using Risk Ledger in exactly the same way as before. Once the changes are in place, you may wish to do the following:
Define your policy requirements for the new controls added,
Engage with your suppliers who haven't yet answered the new control questions. Suppliers will be required to answer the new control questions during their six-monthly re-assessment. If you’d like them to provide answers before this date, you will need to prompt them by sending a discussion.
Initially, you may notice a very small increase in compliance scores for your suppliers. This is because the new controls will default to 'Not required' in your policies until you choose otherwise.
What’s changing?
There will be 17 new controls added to the core framework:
12 new controls in a new domain: Artificial Intelligence
3 new controls added to the Business Resilience Domain
1 new control in the Network & Cloud Security domain
1 new control in the IT Operations domain
15 controls will have wording updates to give more clarity or bring in line with common industry language.
1 control will be deprecated (D36 - TLS. It will be replaced by an updated TLS control)
Some controls within the Network & Cloud Security domain will be re-ordered and therefore references will be changed. This is to improve flow.
New Artificial Intelligence Domain
As technology develops, we must continually assess how best to protect against associated risks. Often, existing security controls and techniques can be effectively applied to emerging technologies. Occasionally, however, a new technology is widely adopted which is sufficiently different that it requires consideration of additional risks and mitigating controls — either for the technology itself or in the way that it’s used. The recent increased usage of Machine Learning and Generative Artificial Intelligence (AI) models is one such change.
We have introduced a new Artificial Intelligence domain into our Core Framework. The controls within this domain are designed to help suppliers to manage the risks associated with the use of AI within their organisations and help clients to understand the potential risks they are exposed to through the use of AI in their supply chains.
Software Development - Scoping Question
We have been receiving consistent feedback (albeit small numbers) explaining some of the discussions clients and suppliers are having about whether a supplier should answer the Software Development domain, or not. Scoping questions are designed to mould the framework around the supplier’s environment and activities - to support suppliers to understand what controls they should consider. This should be independent of the client’s requirements.
The previous wording of the Software Development scoping question did not make this clear. We have updated the scoping question to clarify that any supplier who develops or programs software should be considering relevant controls for secure software development and therefore should answer this domain.
Network & Cloud Security
The Network & Cloud Security domain has been reviewed & updated to make it clear that these controls apply in all circumstances where a supplier manages their own environments, regardless of whether these are on-premise closed networks, cloud-hosted environments or a hybrid combination of these technologies.
Operational Resilience
There has been an increased focus on Operational Resilience recently, particularly within Finance and CNI sectors. As such, we have reviewed how we can support our customers in assessing how their supply chains are impacting their operational resilience. As part of this, we are making some updates to the core framework: we will be adding specific controls around RTOs and RPOs as well as highlighting the date of the last disaster recovery rehearsal.
We will continue to explore opportunities for supporting customers with managing and improving their operational resilience.
Alongside this update…
You may have already noticed that we've moved the Financial Risk and Environmental, Social & Governance domains away from the Core Framework and redefined them as Add-Ons. This means you can now choose whether each of your suppliers is required to answer these domains or not.
We're thrilled to announce that this week, we'll be releasing another update to the structure of the framework: Framework Sizes. This new feature will allow you to choose whether each of your suppliers should answer the full core framework or a smaller version designed for smaller, less mature suppliers. More to come on this!