1.Risk Context Definition
It allows the configuration of business activities and initiatives, and the technological and infrastructural elements that support them, which will be included in the management of the Risk, the context in which the organization operates, the needs and expectations of the parties involved.
2.Identification, Evaluation and Treatment of Risks
The hierarchical model of assets, is structured by function and layout allows the representation of complex structures exploiting the propagation of threats and countermeasures (controls). Definition and application of the Risk Assessment Criteria, identification of the Risks associated with the loss of Confidentiality (R), Integrity (I) and Availability (D) of the information, identification of the Risk Managers, Risk Analysis, determination of the Levels of Risks, comparison of the results of the Risk Analysis with the established Risk Criteria, priority of the Risks for the Treatment Actions. Risk treatment plan; it is input to the review.
Allows management of the entire management cycle of the objectives from the definition of the program, the feasibility analysis of the single objective, the assignment and management of the activities, the frequency and the relative responsibility, the schedule with notification of warning and alert, the upload of the documentation, the closure and the final balance, is input to the Review. Enables management of approval and information workflows.
Identification and updating Control Objectives and Controls on the basis of Appendix A of the standard, Map Control Objectives and Controls, NC Management. Enables management of approval and information workflows.
5.Declaration of Applicability
It allows the processing, on the basis of Checklist, of the Applicability Document relating to Controls and Control Objectives specified in Appendix A to the application.
6.Investigation of Near-Events Events, NC Management
Allows management of the entire integrated management cycle of events and nearmisses (HSEQ, Energy, Safety Information etc.) from reporting and validation, uploading of documentation, management of immediate treatment, classification of NC, root cause analysis, the planning and management of CAPA, the closure and the final balance, the input to the Review. Enables management of approval and information workflows.
Allows the management of the entire audit process from the definition of the annual audit program in the different areas, quality, environment, health and safety, energy, etc., to the generation of individual plans for the definition of the agenda of activities and points of the standard that will be investigated, through the appropriate check-lists, during the execution, of the objective evidence, the preparation of the report of the results and the list of NC/OSS and related CAPA. The integration is implemented with the management flow of the NC/OSS and the CAPA and with the Review and with the Human Resources database regarding roles, tasks, legal titles and personal data.
8.Business Impact Analysis (BIA)
It defines the priorities and requirements of Business Continuity, the process of analyzing the activities and the effects that an interruption could have on them and allows to establish the priorities for the recovery of critical processes by defining the Maximum Tolerable Period of Disruption (MTPD). The Threat Analysis, on the other hand, promotes the understanding of the risks related to critical processes, their dependencies and the potential consequences in case of interruption. These activities form the basis on which - in the planning stage - the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO) are defined, and on which the strategies and tactics of business continuity and threat mitigation measures are selected.
Identification and evaluation of indicators of effectiveness and efficiency of controls, framework of effectiveness of the management system.
The Management System is completed through the procedural flows shown alongside. The flows allow integration with other management systems. For example, in the Audit flow it is possible to manage Environmental, Health and Safety, Quality, Energy, etc. audits.
It allows to produce the regulatory framework, the systematization of the provisions contained in the provisions and to assess the legislative compliance by identifying methods of verification and control and those responsible. Regulatory schedule with sending notifications of prescriptions to managers.
It allows to manage the authorization from the identification, to the assignment of responsibility. Creates the authorization framework, allows management of the related activities and creates the authorization register. Schedule with notification of notice and registration of the accomplishment with upload of documentation.
European Regulation Privacy GDPR UE 679/2016
In KRCTM the data processing, the technical measures of prevention and the controls, the offices in charge and the persons in charge of the treatments are identified. Risk (PIA), residual risk and treatment actions are analyzed and assessed. The information, and the treatment register is generated. The oblivion right is managed.