Framework Category
Improvement
Improvement focuses on continuously enhancing cybersecurity capabilities by learning from evaluations, testing, operations, and real-world incidents.
It ensures that response plans and procedures are regularly updated and refined, incorporating lessons learned and adapting to changing conditions.
Implementation Questions
ID.IM-01
Improvements are identified from evaluations
Does your organization regularly conduct self-assessments of critical services that incorporate current threat intelligence and adversary tactics, techniques, and procedures (TTPs)?
Regular self-assessments help identify vulnerabilities in critical services before they can be exploited by threat actors using current attack methods. These assessments should specifically consider the latest threat intelligence and known TTPs being used by adversaries targeting your industry or similar organizations. This proactive approach allows organizations to prioritize security improvements based on actual threat data rather than theoretical risks.
Has your organization conducted third-party assessments or independent audits of your cybersecurity program within the past 12 months?
Independent assessments provide an objective evaluation of your cybersecurity program's effectiveness, identifying blind spots that internal teams might miss. These assessments help validate that security controls are functioning as intended and highlight areas requiring improvement before they can be exploited by threat actors. Regular third-party reviews also demonstrate due diligence to stakeholders and may be required for certain compliance frameworks.
Does your organization utilize automated tools or systems to continuously evaluate compliance with your established cybersecurity requirements?
Automated compliance monitoring tools can continuously scan systems, networks, and applications to verify adherence to security policies, standards, and regulatory requirements without manual intervention. These solutions can include security information and event management (SIEM) systems, compliance scanning tools, configuration management databases, or custom scripts that regularly check system settings against baselines.
ID.IM-02
Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties
Does your organization have a process to identify and implement improvements to incident response procedures based on findings from exercises, tests, and reviews?
This question assesses whether your organization has a formal feedback loop to enhance incident response capabilities based on lessons learned from various assessment activities. Effective incident response requires continuous improvement through analysis of performance in tabletop exercises, simulations, internal reviews, and independent audits. Organizations should document identified gaps, create action plans to address them, and implement improvements to procedures, training, and tools.
Does your organization have a formal process to identify and implement improvements to business continuity, disaster recovery, and incident response plans based on exercises conducted with critical service providers and suppliers?
This question assesses whether your organization systematically learns from business continuity exercises and tests that involve key third parties, and then applies those lessons to strengthen resilience planning. Organizations should conduct joint exercises with critical vendors and suppliers, document findings, and implement identified improvements to ensure coordinated response capabilities during actual disruptions.
Does your organization involve internal stakeholders (such as senior executives, legal, and HR) in security tests and exercises?
Including key internal stakeholders in security tests and exercises ensures broader organizational awareness and buy-in for security initiatives. When stakeholders participate, they gain firsthand experience with security challenges, understand potential business impacts, and can better align security priorities with business objectives. This involvement also helps break down silos between security teams and other departments, creating a more cohesive security culture.
Does your organization conduct penetration testing on high-risk systems with leadership approval?
Penetration testing involves simulating real-world attacks to identify vulnerabilities in high-risk systems before malicious actors can exploit them. These tests should be conducted on systems that contain sensitive data or are critical to operations, with proper authorization from leadership to ensure awareness and support of the testing activities.
Has your organization tested its contingency plans for responding to and recovering from supply chain compromise incidents where products or services were found to be counterfeit or tampered with?
This question assesses whether your organization has practiced its response to supply chain security incidents where received products or services were not authentic or were modified before delivery. Such exercises help verify that your organization can effectively detect, respond to, and recover from supply chain compromises that could introduce vulnerabilities or malicious code into your systems.
Does your organization collect and analyze security performance metrics to drive improvements to your cybersecurity program?
This question assesses whether your organization has established a data-driven approach to security by measuring the effectiveness of security controls and using those insights to make informed improvements. Performance metrics might include mean time to detect/respond to incidents, vulnerability remediation times, security tool coverage, or false positive rates from security monitoring tools.
ID.IM-03
Improvements are identified from execution of operational processes, procedures, and activities
Does your organization conduct formal lessons learned sessions with suppliers after significant projects or security incidents?
Collaborative lessons learned sessions with suppliers help identify areas for improvement in security practices, communication, and incident response. These sessions can reveal vulnerabilities in the supply chain, enhance supplier relationships, and lead to improved security controls across organizational boundaries.
Does your organization conduct an annual review of cybersecurity policies, processes, and procedures that incorporates lessons learned from incidents and operational experiences?
Regular reviews of cybersecurity documentation ensure that security practices remain current, effective, and aligned with evolving threats and business needs. By incorporating lessons learned from security incidents, near-misses, and day-to-day operations, organizations can adapt their security posture to address emerging risks and improve overall resilience. This process helps identify gaps in existing controls and provides opportunities to implement more effective security measures based on real-world experience.
Does your organization use metrics to track and evaluate cybersecurity performance over time?
Cybersecurity metrics provide quantifiable data to assess the effectiveness of security controls, identify trends, and make informed decisions about resource allocation and risk management. Examples include number of security incidents, mean time to detect/respond, patch management compliance rates, and security training completion percentages.
ID.IM-04
Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved
Has your organization established and documented contingency plans for incident response, business continuity, and disaster recovery to address adverse events?
Contingency plans are essential for organizations to effectively respond to and recover from security incidents, service disruptions, or disasters that could impact operations or expose sensitive data. These plans should include defined procedures for incident detection, response protocols, recovery strategies, and communication workflows to minimize downtime and data loss.
Do your contingency plans include comprehensive contact information, communication procedures, scenario handling processes, and clear criteria for prioritization, escalation, and elevation?
Effective contingency plans must include detailed contact information for all key personnel, specific communication channels and procedures, documented processes for handling common scenarios, and clear criteria for when to prioritize, escalate or elevate issues. Without these elements, organizations risk delayed responses, miscommunication, and inconsistent handling of incidents during critical situations.
Has your organization implemented a formal vulnerability management plan that includes identification, assessment, prioritization, and remediation processes?
A vulnerability management plan is essential for systematically identifying and addressing security weaknesses across your systems and applications. This plan should outline processes for discovering vulnerabilities through scanning tools, assessing their severity based on potential impact, prioritizing fixes based on risk levels, and implementing appropriate remediation measures.
Does your organization have a process to communicate cybersecurity plans and updates to responsible personnel and affected stakeholders?
Effective cybersecurity implementation requires clear communication of plans and updates to ensure all responsible parties understand their roles and affected stakeholders are aware of changes that may impact them. Without proper communication, even well-designed security plans may fail due to inconsistent implementation or resistance from uninformed stakeholders.
Does your organization have a documented process for reviewing and updating cybersecurity plans at least annually or when significant improvements are needed?
Regular reviews of cybersecurity plans ensure they remain effective against evolving threats and align with organizational changes. Without systematic reviews, security controls may become outdated, creating vulnerabilities that could be exploited by attackers. This question assesses whether your organization has formalized the cadence and triggers for updating critical security documentation.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
