Framework Category
Risk Assessment
Risk Assessment identifies and evaluates threats, vulnerabilities, and potential impacts to determine inherent cybersecurity risks.
It supports informed decision-making through threat intelligence, vulnerability analysis, risk prioritization, and response planning.
It also includes assessing authenticity and integrity of assets and suppliers before use.
Implementation Questions
ID.RA-01
Vulnerabilities in assets are identified, validated, and recorded
Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
Vulnerability management tools automatically scan systems to identify outdated software, missing security patches, and configuration errors that could be exploited by attackers. These tools help prioritize remediation efforts by categorizing vulnerabilities based on severity and potential impact to your environment.
Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
Security architecture reviews systematically evaluate network and system designs to identify potential vulnerabilities before they can be exploited. These assessments should examine network segmentation, access controls, encryption implementations, and other security controls to ensure they align with security best practices and requirements.
Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
Reviewers want assurance that internally developed software is security-tested, with reviews and analysis to catch vulnerabilities in design, code, and default configurations before release. These processes might include code reviews, static/dynamic application security testing (SAST/DAST), threat modeling, or security-focused quality assurance testing.
Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
Physical security vulnerabilities can compromise even the most robust digital security measures.
Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
Monitoring cyber threat intelligence sources helps organizations stay informed about newly discovered vulnerabilities that could affect their products and services. This includes tracking security advisories, vulnerability databases (like CVE, NVD), vendor notifications, security blogs, and threat intelligence platforms to identify potential security issues before they can be exploited.
Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?
Process-level weakness hunting is the focus here, asking whether you regularly run vulnerability assessments of your business processes and procedures to surface cybersecurity gaps. Such assessments should examine how information flows through your organization, where sensitive data is stored or transmitted, and how human behaviors might create security gaps that technical controls alone cannot address.
ID.RA-02
Cyber threat intelligence is received from information sharing forums and sources
Has your organization configured cybersecurity tools to automatically ingest and operationalize threat intelligence feeds?
Operationalizing threat intelligence is the subject, meaning whether your security tools are configured to automatically ingest and act on threat intelligence feeds. Properly configured threat intelligence integration enables your security systems to detect and respond to known threats based on indicators of compromise (IoCs), malicious IP addresses, domains, or file hashes that are identified by the broader security community.
Does your organization have a process to receive and review cybersecurity threat intelligence from reputable third-party sources?
Staying ahead of attackers depends on outside intelligence, and reviewers want to know whether you have a process to receive and review threat intelligence from reputable third parties. Regular review of security advisories helps organizations anticipate potential threats, understand emerging attack vectors, and proactively adjust security controls to address specific risks before they are exploited.
Does your organization actively monitor cyber threat intelligence sources for vulnerabilities related to emerging technologies?
Monitoring cyber threat intelligence sources helps organizations stay informed about new vulnerabilities that may affect emerging technologies before implementation or shortly after adoption. This proactive approach allows security teams to apply patches, implement mitigations, or adjust security controls before vulnerabilities can be widely exploited.
ID.RA-03
Internal and external threats to the organization are identified and recorded
Does your organization actively use cyber threat intelligence to identify and monitor threat actors and their tactics, techniques, and procedures (TTPs) that are likely to target your business?
Cyber threat intelligence (CTI) provides organizations with actionable information about potential adversaries, their capabilities, and methods of operation. By understanding which threat actors are likely to target your organization and their common TTPs, security teams can prioritize defenses against the most relevant threats rather than trying to defend against all possible attacks.
Does your organization conduct regular threat hunting activities to proactively identify potential threat actors in your environment?
Threat hunting involves proactively searching through networks, endpoints, and datasets to detect malicious activities or indicators of compromise that may have evaded existing security solutions.
Has your organization implemented formal processes to identify potential internal threat actors?
Internal threat actors are individuals within your organization who may pose security risks, either maliciously or unintentionally. Effective identification processes typically include monitoring for unusual system access patterns, detecting unauthorized privilege escalations, and analyzing behavioral indicators that might suggest insider threats. These processes should be integrated with your security operations and human resources protocols.
ID.RA-04
Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
Does your organization have a documented process where business leaders and cybersecurity professionals collaboratively assess and record risk scenarios with their likelihood and impact in risk registers?
Joint risk assessment is the subject: whether business leaders and security professionals collaboratively evaluate risk scenarios and record their likelihood and impact in risk registers.
Has your organization documented a comprehensive assessment of the potential business impacts that could result from unauthorized access to your communications, systems, and data?
Business impact analysis is what's being evaluated, namely whether you have documented a thorough assessment of the consequences of unauthorized access to your communications, systems, and data. Such analysis should identify impacts like financial losses, operational disruptions, reputational damage, regulatory penalties, and intellectual property theft that could result from unauthorized access incidents.
Has your organization conducted a systems interdependency analysis to identify and mitigate potential cascading failures across interconnected systems?
Cascading failures occur when the failure of one system component triggers failures in dependent systems, potentially causing widespread outages or security breaches.
ID.RA-05
Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization
Has your organization developed and implemented threat modeling processes to identify risks to data and determine appropriate risk responses?
Threat modeling is a structured approach to identifying potential threats, vulnerabilities, and attack vectors that could compromise your data assets. By systematically analyzing how an attacker might target your systems, you can better understand your risk exposure and prioritize security controls.
Does your organization have a documented process for prioritizing cybersecurity investments based on risk assessment (likelihood and impact)?
Risk-based investment prioritization is the focus: whether your cybersecurity spending decisions follow documented assessments of likelihood and impact rather than guesswork. Effective resource allocation requires understanding which threats are most likely to occur and would cause the greatest damage, allowing limited security budgets to address the most critical vulnerabilities first.
ID.RA-06
Risk responses are chosen, prioritized, planned, tracked, and communicated
Does your organization consistently apply the established risk treatment criteria (accept, transfer, mitigate, or avoid) when addressing identified vulnerabilities?
Consistent risk treatment is the focus: whether you apply established criteria, accept, transfer, mitigate, or avoid, every time you address an identified vulnerability. Without clear criteria for risk treatment decisions, organizations may handle similar vulnerabilities inconsistently, potentially leaving critical vulnerabilities unaddressed while spending resources on less significant issues.
Does your organization consistently apply the established criteria for selecting compensating controls when vulnerabilities cannot be immediately remediated?
When vulnerabilities are identified but cannot be immediately patched or fixed, organizations need a systematic approach for implementing alternative controls that reduce the risk to acceptable levels. These compensating controls might include network segmentation, enhanced monitoring, or access restrictions that make the vulnerability more difficult to exploit while a permanent fix is developed.
Does your organization have a formal process to track the progress of risk response implementation?
Tracking risk response implementation is essential for ensuring that identified security risks are being addressed according to plan and within expected timeframes. Without proper tracking mechanisms, risks may remain unmitigated, potentially exposing the organization to security incidents or compliance violations.
Does your organization use risk assessment findings to inform and prioritize risk response decisions and actions?
Turning findings into action is the focus: reviewers want assurance that risk assessment results actually inform and prioritize your risk response decisions. Effective risk management requires not just identifying risks but using those findings to make informed decisions about risk treatment options (accept, mitigate, transfer, or avoid) and to prioritize security investments based on risk severity and business impact.
Does your organization have a documented process for communicating risk responses to affected stakeholders in a prioritized manner?
Closing the loop with stakeholders is what's being assessed: reviewers want a documented process for communicating risk responses to affected parties in priority order. Effective risk response communication helps stakeholders understand potential impacts, required actions, and timelines for risk mitigation.
ID.RA-07
Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
Does your organization have formal procedures for documenting, reviewing, testing, and approving changes and exceptions to systems and applications?
Change management discipline is the focus here: whether formal procedures require changes and exceptions to systems and applications to be documented, reviewed, tested, and approved.
Does your organization document risks associated with proposed changes and provide rollback procedures for each change?
Change management requires thorough risk assessment to understand potential impacts before implementation.
Does your organization maintain documentation of risk assessments and mitigation plans for all security policy exceptions?
Managing policy exceptions is the concern: the question is whether you document risk assessments and mitigation plans for every exception granted to your security policies. For example, if an exception is requested to allow a legacy system to operate without current patches, the documentation should identify potential vulnerabilities and specify compensating controls like network segmentation or enhanced monitoring.
Does your organization have a process to periodically review previously accepted risks that were deferred based on planned future actions or milestones?
Organizations often accept certain security risks temporarily with the intention to address them at a future date when resources become available or when planned system changes occur.
ID.RA-08
Processes for receiving, analyzing, and responding to vulnerability disclosures are established
Does your organization have a formal process for sharing vulnerability information with suppliers as specified in contractual agreements?
Supplier-facing vulnerability sharing is what's examined: whether a formal process governs how you pass vulnerability information to suppliers as contracts require.
Has your organization formally assigned responsibilities for processing, analyzing, and responding to cybersecurity disclosures from external parties, and do you verify these procedures are being executed?
Handling inbound cybersecurity disclosures is the focus here, covering whether you have assigned responsibility for processing and responding to reports from external parties and confirm those procedures run. Having defined roles and responsibilities ensures that vulnerability disclosures and threat intelligence are properly processed, impact-analyzed, and responded to in a timely manner rather than being overlooked or handled inconsistently.
ID.RA-09
The authenticity and integrity of hardware and software are assessed prior to acquisition and use
ID.RA-10
Critical suppliers are assessed prior to acquisition
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

