Framework Category
Risk Assessment
Risk Assessment identifies and evaluates threats, vulnerabilities, and potential impacts to determine inherent cybersecurity risks.
It supports informed decision-making through threat intelligence, vulnerability analysis, risk prioritization, and response planning.
It also includes assessing authenticity and integrity of assets and suppliers before use.
Implementation Questions
ID.RA-01
Vulnerabilities in assets are identified, validated, and recorded
Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
Vulnerability management tools automatically scan systems to identify outdated software, missing security patches, and configuration errors that could be exploited by attackers. These tools help prioritize remediation efforts by categorizing vulnerabilities based on severity and potential impact to your environment.
Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
Security architecture reviews systematically evaluate network and system designs to identify potential vulnerabilities before they can be exploited. These assessments should examine network segmentation, access controls, encryption implementations, and other security controls to ensure they align with security best practices and requirements.
Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
This question assesses whether your organization has established processes to identify security weaknesses in software you develop before it reaches production. These processes might include code reviews, static/dynamic application security testing (SAST/DAST), threat modeling, or security-focused quality assurance testing.
Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
Physical security vulnerabilities can compromise even the most robust digital security measures. This assessment should identify potential physical access weaknesses, environmental threats (fire, flood, power issues), and evaluate the effectiveness of existing physical controls such as access cards, biometrics, security cameras, and guards. The assessment should also evaluate resilience factors like backup power systems, cooling redundancies, and disaster recovery capabilities.
Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
Monitoring cyber threat intelligence sources helps organizations stay informed about newly discovered vulnerabilities that could affect their products and services. This includes tracking security advisories, vulnerability databases (like CVE, NVD), vendor notifications, security blogs, and threat intelligence platforms to identify potential security issues before they can be exploited.
Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?
This question assesses whether your organization systematically evaluates its operational workflows and procedures to identify vulnerabilities that could be exploited by threat actors. Such assessments should examine how information flows through your organization, where sensitive data is stored or transmitted, and how human behaviors might create security gaps that technical controls alone cannot address.
ID.RA-02
Cyber threat intelligence is received from information sharing forums and sources
Has your organization configured cybersecurity tools to automatically ingest and operationalize threat intelligence feeds?
This question assesses whether your security tools (like SIEM, EDR, firewalls, etc.) are set up to automatically consume and act upon external threat intelligence. Properly configured threat intelligence integration enables your security systems to detect and respond to known threats based on indicators of compromise (IoCs), malicious IP addresses, domains, or file hashes that are identified by the broader security community.
Does your organization have a process to receive and review cybersecurity threat intelligence from reputable third-party sources?
This question assesses whether your organization actively monitors external threat intelligence to stay informed about current threat actors and their tactics, techniques, and procedures (TTPs). Regular review of security advisories helps organizations anticipate potential threats, understand emerging attack vectors, and proactively adjust security controls to address specific risks before they are exploited.
Does your organization actively monitor cyber threat intelligence sources for vulnerabilities related to emerging technologies?
Monitoring cyber threat intelligence sources helps organizations stay informed about new vulnerabilities that may affect emerging technologies before implementation or shortly after adoption. This proactive approach allows security teams to apply patches, implement mitigations, or adjust security controls before vulnerabilities can be widely exploited.
ID.RA-03
Internal and external threats to the organization are identified and recorded
Does your organization actively use cyber threat intelligence to identify and monitor threat actors and their tactics, techniques, and procedures (TTPs) that are likely to target your business?
Cyber threat intelligence (CTI) provides organizations with actionable information about potential adversaries, their capabilities, and methods of operation. By understanding which threat actors are likely to target your organization and their common TTPs, security teams can prioritize defenses against the most relevant threats rather than trying to defend against all possible attacks.
Does your organization conduct regular threat hunting activities to proactively identify potential threat actors in your environment?
Threat hunting involves proactively searching through networks, endpoints, and datasets to detect malicious activities or indicators of compromise that may have evaded existing security solutions. This practice helps identify advanced persistent threats, insider threats, or zero-day exploits that automated tools might miss. Effective threat hunting combines automated tools with human analysis to investigate anomalies, unusual patterns, or suspicious behaviors.
Has your organization implemented formal processes to identify potential internal threat actors?
Internal threat actors are individuals within your organization who may pose security risks, either maliciously or unintentionally. Effective identification processes typically include monitoring for unusual system access patterns, detecting unauthorized privilege escalations, and analyzing behavioral indicators that might suggest insider threats. These processes should be integrated with your security operations and human resources protocols.
ID.RA-04
Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
Does your organization have a documented process where business leaders and cybersecurity professionals collaboratively assess and record risk scenarios with their likelihood and impact in risk registers?
This question evaluates whether your organization has formalized the collaboration between business and security teams to identify, assess, and document risks. Effective risk management requires input from both business stakeholders who understand operational impacts and security professionals who can assess technical vulnerabilities and threats. This collaborative approach ensures risks are evaluated holistically with appropriate context for both likelihood and business impact.
Has your organization documented a comprehensive assessment of the potential business impacts that could result from unauthorized access to your communications, systems, and data?
This question evaluates whether your organization has formally analyzed and documented the potential consequences of security breaches across your digital environment. Such analysis should identify impacts like financial losses, operational disruptions, reputational damage, regulatory penalties, and intellectual property theft that could result from unauthorized access incidents.
Has your organization conducted a systems interdependency analysis to identify and mitigate potential cascading failures across interconnected systems?
Cascading failures occur when the failure of one system component triggers failures in dependent systems, potentially causing widespread outages or security breaches. This analysis should identify critical dependencies between systems, evaluate how failures might propagate, and document mitigation strategies to contain failures before they affect multiple systems. Organizations with complex infrastructures are particularly vulnerable to these types of failures, especially when systems share resources, authentication mechanisms, or data flows.
ID.RA-05
Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization
Has your organization developed and implemented threat modeling processes to identify risks to data and determine appropriate risk responses?
Threat modeling is a structured approach to identifying potential threats, vulnerabilities, and attack vectors that could compromise your data assets. By systematically analyzing how an attacker might target your systems, you can better understand your risk exposure and prioritize security controls. Effective threat modeling helps organizations make informed decisions about risk mitigation strategies, whether through accepting, avoiding, transferring, or reducing identified risks.
Does your organization have a documented process for prioritizing cybersecurity investments based on risk assessment (likelihood and impact)?
This question assesses whether the organization makes strategic decisions about cybersecurity spending based on quantifiable risk factors rather than arbitrary choices. Effective resource allocation requires understanding which threats are most likely to occur and would cause the greatest damage, allowing limited security budgets to address the most critical vulnerabilities first.
ID.RA-06
Risk responses are chosen, prioritized, planned, tracked, and communicated
Does your organization consistently apply the established risk treatment criteria (accept, transfer, mitigate, or avoid) when addressing identified vulnerabilities?
This question assesses whether your organization follows a structured approach to vulnerability management by applying consistent criteria when deciding how to handle identified risks. Without clear criteria for risk treatment decisions, organizations may handle similar vulnerabilities inconsistently, potentially leaving critical vulnerabilities unaddressed while spending resources on less significant issues.
Does your organization consistently apply the established criteria for selecting compensating controls when vulnerabilities cannot be immediately remediated?
When vulnerabilities are identified but cannot be immediately patched or fixed, organizations need a systematic approach for implementing alternative controls that reduce the risk to acceptable levels. These compensating controls might include network segmentation, enhanced monitoring, or access restrictions that make the vulnerability more difficult to exploit while a permanent fix is developed.
Does your organization have a formal process to track the progress of risk response implementation?
Tracking risk response implementation is essential for ensuring that identified security risks are being addressed according to plan and within expected timeframes. Without proper tracking mechanisms, risks may remain unmitigated, potentially exposing the organization to security incidents or compliance violations.
Does your organization use risk assessment findings to inform and prioritize risk response decisions and actions?
This question evaluates whether your organization has a structured process for translating identified risks into concrete action plans. Effective risk management requires not just identifying risks but using those findings to make informed decisions about risk treatment options (accept, mitigate, transfer, or avoid) and to prioritize security investments based on risk severity and business impact.
Does your organization have a documented process for communicating risk responses to affected stakeholders in a prioritized manner?
This question assesses whether your organization has a formal mechanism to inform relevant stakeholders about how identified risks will be addressed, ensuring those with higher priority are communicated first. Effective risk response communication helps stakeholders understand potential impacts, required actions, and timelines for risk mitigation.
ID.RA-07
Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
Does your organization have formal procedures for documenting, reviewing, testing, and approving changes and exceptions to systems and applications?
This question assesses whether your organization has established a structured change management process that requires proper documentation, review, testing, and approval before implementing changes or granting exceptions to security controls. Without formal procedures, changes may be implemented inconsistently, potentially introducing security vulnerabilities or operational issues.A comprehensive change management procedure helps maintain system integrity, ensures changes are properly vetted, and creates accountability. It also helps track modifications to systems over time, which is valuable for troubleshooting and compliance purposes.
Does your organization document risks associated with proposed changes and provide rollback procedures for each change?
Change management requires thorough risk assessment to understand potential impacts before implementation. Organizations should document both the risks of implementing a change (like service disruptions or security vulnerabilities) and the risks of not implementing it (such as remaining vulnerable to known threats). Additionally, having documented rollback procedures ensures that if a change causes unexpected issues, the organization can quickly restore systems to a known good state.
Does your organization maintain documentation of risk assessments and mitigation plans for all security policy exceptions?
This question assesses whether your organization formally evaluates and documents the risks associated with any exceptions to security policies, along with specific plans to address those risks. For example, if an exception is requested to allow a legacy system to operate without current patches, the documentation should identify potential vulnerabilities and specify compensating controls like network segmentation or enhanced monitoring.
Does your organization have a process to periodically review previously accepted risks that were deferred based on planned future actions or milestones?
Organizations often accept certain security risks temporarily with the intention to address them at a future date when resources become available or when planned system changes occur. Without a systematic review process, these temporarily accepted risks may be forgotten and remain unaddressed indefinitely, potentially creating security vulnerabilities. Regular reviews ensure that accepted risks don't become permanent fixtures in your security posture and that planned mitigations are implemented according to schedule.
ID.RA-08
Processes for receiving, analyzing, and responding to vulnerability disclosures are established
Does your organization have a formal process for sharing vulnerability information with suppliers as specified in contractual agreements?
This question assesses whether your organization has established protocols for exchanging vulnerability information with suppliers in accordance with contractual requirements. Effective vulnerability information sharing helps both parties address security issues promptly, reducing the risk window and potential impact of vulnerabilities in the supply chain. This includes sharing details about newly discovered vulnerabilities, mitigation strategies, and coordinated response actions.
Has your organization formally assigned responsibilities for processing, analyzing, and responding to cybersecurity disclosures from external parties, and do you verify these procedures are being executed?
This question assesses whether your organization has established clear ownership for handling cybersecurity information received from external sources such as suppliers, customers, partners, and government agencies. Having defined roles and responsibilities ensures that vulnerability disclosures and threat intelligence are properly processed, impact-analyzed, and responded to in a timely manner rather than being overlooked or handled inconsistently.
ID.RA-09
The authenticity and integrity of hardware and software are assessed prior to acquisition and use
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
