This Operational Tier control triangle seeks to safeguard the security and performance of the organisation’s information systems and processes by ensuring the effective identification, assessment, mitigation, and monitoring of risks, while maintaining auditability, accountability, and compliance with regulatory, legal, and industry standards.

This control rolls down from the Manage Demand Domain and cascades into: 1.3.1 Mitigation, 1.3.2-Security, and 1.3.3-Compliance control subdomains.

---

Control Mappings:
Cobit:2019 ➡️ APO01; APO01.03; APO11; APO11.01
PCI:DSSv4.01 ➡️ 12.4.1
GDPR:2024 ➡️ Art.35; Art.47
ISO31000:2018 ➡️ 4; 5; 5.1
ISO38500:2024 ➡️ 4; 4.1; 4.1.1; 4.2; 5; 5.1; 5.5.1; 6; 6.4; 7; 7.1; 7.2.1
MaRisk:2024 ➡️ AT 4.2(3); AT 4.3(b); AT 4.3.1(2); AT 4.3.2(1); AT 4.3.2(4); AT 4.3.2(6); AT 4.4(3); AT 4.4(4); AT 6(2); AT 9(7); BTR 4(4); BT 2.3(2); BT 2.4(1); BT 2.4(4); BT 2.5(2)