Framework Category

Improvement

Improvement focuses on continuously enhancing cybersecurity capabilities by learning from evaluations, testing, operations, and real-world incidents.

It ensures that response plans and procedures are regularly updated and refined, incorporating lessons learned and adapting to changing conditions.

Implementation Questions

ID.IM-02

Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties

Does your organization have a process to identify and implement improvements to incident response procedures based on findings from exercises, tests, and reviews?

Continuous improvement is the concern here: whether you have a process to fold findings from exercises, tests, and reviews back into stronger incident response procedures.

Does your organization have a formal process to identify and implement improvements to business continuity, disaster recovery, and incident response plans based on exercises conducted with critical service providers and suppliers?

Learning from resilience exercises is the concern: whether you systematically improve continuity, disaster recovery, and incident response plans based on tests run with critical providers and suppliers. Organizations should conduct joint exercises with critical vendors and suppliers, document findings, and implement identified improvements to ensure coordinated response capabilities during actual disruptions.

Does your organization involve internal stakeholders (such as senior executives, legal, and HR) in security tests and exercises?

Including key internal stakeholders in security tests and exercises ensures broader organizational awareness and buy-in for security initiatives.

Does your organization conduct penetration testing on high-risk systems with leadership approval?

Penetration testing involves simulating real-world attacks to identify vulnerabilities in high-risk systems before malicious actors can exploit them. These tests should be conducted on systems that contain sensitive data or are critical to operations, with proper authorization from leadership to ensure awareness and support of the testing activities.

Has your organization tested its contingency plans for responding to and recovering from supply chain compromise incidents where products or services were found to be counterfeit or tampered with?

Supply chain incident readiness is being probed here, namely whether you have tested contingency plans for responding to and recovering from counterfeit or tampered products and services. Such exercises help verify that your organization can effectively detect, respond to, and recover from supply chain compromises that could introduce vulnerabilities or malicious code into your systems.

Does your organization collect and analyze security performance metrics to drive improvements to your cybersecurity program?

Measuring to improve is the subject here, specifically whether you collect and analyze security performance metrics and use them to strengthen your cybersecurity program. Performance metrics might include mean time to detect/respond to incidents, vulnerability remediation times, security tool coverage, or false positive rates from security monitoring tools.

ID.IM-04

Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved

Has your organization established and documented contingency plans for incident response, business continuity, and disaster recovery to address adverse events?

Contingency plans are essential for organizations to effectively respond to and recover from security incidents, service disruptions, or disasters that could impact operations or expose sensitive data. These plans should include defined procedures for incident detection, response protocols, recovery strategies, and communication workflows to minimize downtime and data loss.

Do your contingency plans include comprehensive contact information, communication procedures, scenario handling processes, and clear criteria for prioritization, escalation, and elevation?

Effective contingency plans must include detailed contact information for all key personnel, specific communication channels and procedures, documented processes for handling common scenarios, and clear criteria for when to prioritize, escalate or elevate issues. Without these elements, organizations risk delayed responses, miscommunication, and inconsistent handling of incidents during critical situations.

Has your organization implemented a formal vulnerability management plan that includes identification, assessment, prioritization, and remediation processes?

A vulnerability management plan is essential for systematically identifying and addressing security weaknesses across your systems and applications. This plan should outline processes for discovering vulnerabilities through scanning tools, assessing their severity based on potential impact, prioritizing fixes based on risk levels, and implementing appropriate remediation measures.

Does your organization have a process to communicate cybersecurity plans and updates to responsible personnel and affected stakeholders?

Effective cybersecurity implementation requires clear communication of plans and updates to ensure all responsible parties understand their roles and affected stakeholders are aware of changes that may impact them. Without proper communication, even well-designed security plans may fail due to inconsistent implementation or resistance from uninformed stakeholders.

Does your organization have a documented process for reviewing and updating cybersecurity plans at least annually or when significant improvements are needed?

Regular reviews of cybersecurity plans ensure they remain effective against evolving threats and align with organizational changes. Without systematic reviews, security controls may become outdated, creating vulnerabilities that could be exploited by attackers. This question assesses whether your organization has formalized the cadence and triggers for updating critical security documentation.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron