Risk Management Policy

CIAO ESSENTIAL — POLICY
C-AO/POL/CAO-210:2026 PUBLIC
Risk Management Policy
CAO-200 Audit and Risk sub-policy (CAO-210) — auto-drafted, pending panel review
Date Issued  22 June 2026
Review Date  22 June 2027
Cite as: CIAO Standard. (2026). Risk Management Policy. v1.1.3.7. C-AO/POL/CAO-210:2026. www.c-ao.com

1 · Purpose

This policy establishes the requirements for risk management policy within the CAO-200 Audit and Risk. It gives effect, in a single harmonised instrument, to the control objectives upon which recognised standards converge for this area.

2 · Scope

This policy applies to all information, systems, services, personnel and third parties within the scope of the management system.

3 · Policy statements

3.x · CAO-210 Policy Controls

outlinesatisfies·solidpartial·greyinforms

The organisation shall establish, implement and maintain a coherent and effective approach to risk management, giving effect to the organisational control objectives set out below.

COBIT 2019COSO ERMESRSGDPRISAE 3402 Type IIISO 22301ISO 31000ISO 9001ISO/IEC 27005ISO/IEC 27036-2ISO/IEC 38500ITIL 4King VNIS2NIST CSF 2.0NIST SP 800-161r1NIST SP 800-37NIST SP 800-53SOC 2 Type IIUK Corporate Governance CodeUK GDPR

3.1 · CAO-211 Risk Governance and Appetite

The organisation shall establish, implement and maintain effective Risk Governance and Appetite, giving effect to the organisational controls set out below.

COBIT 2019COSO ERMISO 22301ISO 31000ISO/IEC 27005ISO/IEC 27036-2ISO/IEC 38500ITIL 4King VNIS2NIST CSF 2.0NIST SP 800-161r1NIST SP 800-37NIST SP 800-53UK Corporate Governance Code

3.1.x · CAO-211 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.2 · CAO-212 Risk Identification and Assessment

The organisation shall establish, implement and maintain effective Risk Identification and Assessment, giving effect to the organisational controls set out below.

COBIT 2019COSO ERMESRSGDPRISAE 3402 Type IIISO 22301ISO 31000ISO 9001ISO/IEC 27005ISO/IEC 27036-2NIST CSF 2.0NIST SP 800-161r1NIST SP 800-37NIST SP 800-53SOC 2 Type IIUK GDPR

3.2.x · CAO-212 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.3 · CAO-213 Risk Treatment

The organisation shall establish, implement and maintain effective Risk Treatment, giving effect to the organisational controls set out below.

COSO ERMISO 31000ISO/IEC 27005NIS2NIST CSF 2.0NIST SP 800-37NIST SP 800-53SOC 2 Type II

3.3.x · CAO-213 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.4 · CAO-214 Risk Monitoring and Reporting

The organisation shall establish, implement and maintain effective Risk Monitoring and Reporting, giving effect to the organisational controls set out below.

COSO ERMISO 31000ISO/IEC 27005ISO/IEC 27036-2NIST SP 800-37NIST SP 800-53

3.4.x · CAO-214 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

4 · Roles & responsibilities

5 · Compliance, monitoring & review

Compliance with this policy is mandatory. This policy is reviewed at least annually, or upon significant change to the threat, regulatory or technological environment. Exceptions require documented risk acceptance by the accountable owner.

● LIVE CONTENT  ·  Verified 11 July 2026 at 17:37 UTC  ·  Version 1.1.3.7  ·  Always current at c-ao.com  ·  © CIAO Standard Secretariat 2026

Cite this page (APA)