Cybersecurity Risk Assessment for CII

The Guide to Conducting Cybersecurity Risk Assessment for CII is publicly available for anyone interested in adopting the good practices of conducting a cybersecurity risk assessment. An e-version of this risk assessment guidance document can be downloaded from CSA’s website ( https://www.csa.gov.sg/legislation/supplementary-references). 

The practices prescribed in the risk assessment guidance document (i.e. the Guide to Conducting Cybersecurity Risk Assessment for CII) are applicable to all cybersecurity risk assessments. Organisations are strongly encouraged to reference the risk assessment guidance document when performing TRAs.

Organisations are encouraged to share their risk assessment methodologies with CSA so that we can assess their suitability and consider incorporating the relevant components into the next version of the risk assessment guidance document.

Organisations are strongly encouraged to use a scale of between 1 and 5 to determine both likelihood and impact when assessing cybersecurity risks. By doing so, organisations can aid CSA in aggregating and viewing cybersecurity risks at the national level consistently. This enables CSA to identify and alert organisations of any systemic risks (at both sectoral and national levels) to which they could be exposed.

CSA will focus on reviewing cybersecurity-related risks. As such, organisations should place emphasis on identifying risk scenarios (i.e. “what could go wrong” events) that relate to cybersecurity threats. Organisations may include risk scenarios relating to physical threats such as natural disasters and hardware failure.