Framework Category

Risk Assessment

Risk Assessment identifies and evaluates threats, vulnerabilities, and potential impacts to determine inherent cybersecurity risks.

It supports informed decision-making through threat intelligence, vulnerability analysis, risk prioritization, and response planning.

It also includes assessing authenticity and integrity of assets and suppliers before use.

Implementation Questions

ID.RA-01

Vulnerabilities in assets are identified, validated, and recorded

Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?

Vulnerability management tools automatically scan systems to identify outdated software, missing security patches, and configuration errors that could be exploited by attackers. These tools help prioritize remediation efforts by categorizing vulnerabilities based on severity and potential impact to your environment.

Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?

Security architecture reviews systematically evaluate network and system designs to identify potential vulnerabilities before they can be exploited. These assessments should examine network segmentation, access controls, encryption implementations, and other security controls to ensure they align with security best practices and requirements.

Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?

Reviewers want assurance that internally developed software is security-tested, with reviews and analysis to catch vulnerabilities in design, code, and default configurations before release. These processes might include code reviews, static/dynamic application security testing (SAST/DAST), threat modeling, or security-focused quality assurance testing.

Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?

Physical security vulnerabilities can compromise even the most robust digital security measures.

Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?

Monitoring cyber threat intelligence sources helps organizations stay informed about newly discovered vulnerabilities that could affect their products and services. This includes tracking security advisories, vulnerability databases (like CVE, NVD), vendor notifications, security blogs, and threat intelligence platforms to identify potential security issues before they can be exploited.

Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

Process-level weakness hunting is the focus here, asking whether you regularly run vulnerability assessments of your business processes and procedures to surface cybersecurity gaps. Such assessments should examine how information flows through your organization, where sensitive data is stored or transmitted, and how human behaviors might create security gaps that technical controls alone cannot address.

ID.RA-02

Cyber threat intelligence is received from information sharing forums and sources

Has your organization configured cybersecurity tools to automatically ingest and operationalize threat intelligence feeds?

Operationalizing threat intelligence is the subject, meaning whether your security tools are configured to automatically ingest and act on threat intelligence feeds. Properly configured threat intelligence integration enables your security systems to detect and respond to known threats based on indicators of compromise (IoCs), malicious IP addresses, domains, or file hashes that are identified by the broader security community.

Does your organization have a process to receive and review cybersecurity threat intelligence from reputable third-party sources?

Staying ahead of attackers depends on outside intelligence, and reviewers want to know whether you have a process to receive and review threat intelligence from reputable third parties. Regular review of security advisories helps organizations anticipate potential threats, understand emerging attack vectors, and proactively adjust security controls to address specific risks before they are exploited.

Does your organization actively monitor cyber threat intelligence sources for vulnerabilities related to emerging technologies?

Monitoring cyber threat intelligence sources helps organizations stay informed about new vulnerabilities that may affect emerging technologies before implementation or shortly after adoption. This proactive approach allows security teams to apply patches, implement mitigations, or adjust security controls before vulnerabilities can be widely exploited.

ID.RA-03

Internal and external threats to the organization are identified and recorded

ID.RA-06

Risk responses are chosen, prioritized, planned, tracked, and communicated

Does your organization consistently apply the established risk treatment criteria (accept, transfer, mitigate, or avoid) when addressing identified vulnerabilities?

Consistent risk treatment is the focus: whether you apply established criteria, accept, transfer, mitigate, or avoid, every time you address an identified vulnerability. Without clear criteria for risk treatment decisions, organizations may handle similar vulnerabilities inconsistently, potentially leaving critical vulnerabilities unaddressed while spending resources on less significant issues.

Does your organization consistently apply the established criteria for selecting compensating controls when vulnerabilities cannot be immediately remediated?

When vulnerabilities are identified but cannot be immediately patched or fixed, organizations need a systematic approach for implementing alternative controls that reduce the risk to acceptable levels. These compensating controls might include network segmentation, enhanced monitoring, or access restrictions that make the vulnerability more difficult to exploit while a permanent fix is developed.

Does your organization have a formal process to track the progress of risk response implementation?

Tracking risk response implementation is essential for ensuring that identified security risks are being addressed according to plan and within expected timeframes. Without proper tracking mechanisms, risks may remain unmitigated, potentially exposing the organization to security incidents or compliance violations.

Does your organization use risk assessment findings to inform and prioritize risk response decisions and actions?

Turning findings into action is the focus: reviewers want assurance that risk assessment results actually inform and prioritize your risk response decisions. Effective risk management requires not just identifying risks but using those findings to make informed decisions about risk treatment options (accept, mitigate, transfer, or avoid) and to prioritize security investments based on risk severity and business impact.

Does your organization have a documented process for communicating risk responses to affected stakeholders in a prioritized manner?

Closing the loop with stakeholders is what's being assessed: reviewers want a documented process for communicating risk responses to affected parties in priority order. Effective risk response communication helps stakeholders understand potential impacts, required actions, and timelines for risk mitigation.

ID.RA-07

Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron