Cybersecurity Risk Assessment for CII

Frequently Asked Questions

Cybersecurity Risk Assessment for CII

Can the risk assessment guidance document be shared with service providers whom my organisation has engaged to perform risk assessments?
The Guide to Conducting Cybersecurity Risk Assessment for CII is publicly available for anyone interested in adopting the good practices of conducting a cybersecurity risk assessment. An e-version of this risk assessment guidance document can be downloaded from CSA’s website ( https://www.csa.gov.sg/legislation/supplementary-references). 
The Security-by-Design (SBD) Framework mentions the need to perform Threat & Risk Assessment (TRA) in the initiation phase of a project lifecycle. Should my organisation reference the risk assessment guidance document when performing such TRA?
The practices prescribed in the risk assessment guidance document (i.e. the Guide to Conducting Cybersecurity Risk Assessment for CII) are applicable to all cybersecurity risk assessments. Organisations are strongly encouraged to reference the risk assessment guidance document when performing TRAs.
My organisation is currently using a better risk assessment methodology than the one provided in the risk assessment guidance. Are we still required to follow the prescribed methodology in CSA’s risk assessment guidance?
Organisations are encouraged to share their risk assessment methodologies with CSA so that we can assess their suitability and consider incorporating the relevant components into the next version of the risk assessment guidance document.
Should my organisation use a 5-by-5 risk matrix (i.e. a scale between 1 and 5 for both likelihood and impact) stipulated in the risk assessment guidance document to determine risk levels?
Organisations are strongly encouraged to use a scale of between 1 and 5 to determine both likelihood and impact when assessing cybersecurity risks. By doing so, organisations can aid CSA in aggregating and viewing cybersecurity risks at the national level consistently. This enables CSA to identify and alert organisations of any systemic risks (at both sectoral and national levels) to which they could be exposed.
The NIST 800-30 publication, a recommended resource for threat scenarios, includes physical threats. Is my organisation required to include such scenarios in the risk assessments?
CSA will focus on reviewing cybersecurity-related risks. As such, organisations should place emphasis on identifying risk scenarios (i.e. “what could go wrong” events) that relate to cybersecurity threats. Organisations may include risk scenarios relating to physical threats such as natural disasters and hardware failure.