Defining RM/RA

In order to delineate the scope of this section, it is important to first define exactly what is meant by RM/RA. As a working basis for this document, the Report relies on the definitions presented by ENISA itself in its report on ‘Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools’. Annex I to this Report contains a glossary, defining a number of key notions, including:

“G.30 Risk Assessment: A scientific and technologically based process (G.24) consisting of three steps, risk identification (G.38), risk analysis (G.29) and risk evaluation (G.36). (ENISA)

[…]

G.39 Risk Management: The process (G.24), distinct from risk assessment (G.30), of weighing policy alternatives in consultation with interested parties (G.18), considering risk assessment and other legitimate factors, and selecting appropriate prevention and control options. (ENISA)”

Based on these definitions, it is clear that this section should focus on normative texts which contain:

• Explicit technical, organisational or legal requirements or recommendations with regard to RM/RA;
• A requirement or recommendation to conduct risk identification, analysis studies and risk evaluation studies on existing processes;
• A requirement or recommendation to prospectively conduct these same studies on planned processes (i.e. risk projections);

Normative texts which meet these criteria can be said to be directly relevant to RM/RA.

However, in addition to these criteria the section should also take into account any normative texts which contain requirements or recommendations to report risks or incidents to public/private sector bodies; or which regulate specific activities (e.g. e-commerce) or technologies (e.g. e-signatures) in which RM/RA is an implied consideration. These texts can be said to be indirectly relevant to RM/RA.

In this website direct and indirect relevance can be used as a sorting criterion when displaying the various normative text categories.

In order to provide a meaningful overview of the regulatory playing field, this section will describe both directly and indirectly relevant texts.

However, following these definitions, the scope of this section is still immensely broad, including detailed and sector specific regulations in such fields as biochemistry, aviation and transportation, agriculture and fishery, etc., all of which have their own standards which can be interpreted as directly or indirectly relevant to RM/RA. Most of these have only a very limited relevance to the activities of ENISA.

Therefore, in order to keep the result sufficiently focused to be of practical use, the focus of this section will be on texts which are relevant to ENISA’s mission of striving to improve the security of communication networks and information systems. The focus will therefore be on norms which directly or indirectly relate to information/network RM/RA practices. Thus, the selection of normative texts included in this section will have a natural bias towards the ICT/telecommunications/data protection sectors. Other sectors will be included insofar as they are affected by norms which relate to information/network security, which is e.g. commonly the case for the financial sector.