ID.RA-04.159

Does your organization have a documented process where business leaders and cybersecurity professionals collaboratively assess and record risk scenarios with their likelihood and impact in risk registers?

Explanation

This question evaluates whether your organization has formalized the collaboration between business and security teams to identify, assess, and document risks. Effective risk management requires input from both business stakeholders who understand operational impacts and security professionals who can assess technical vulnerabilities and threats. This collaborative approach ensures risks are evaluated holistically with appropriate context for both likelihood and business impact. Evidence of fulfillment could include a formal risk assessment methodology document, completed risk registers showing both business and security input, meeting minutes from risk assessment sessions with both teams present, or a risk management policy that explicitly requires this collaboration.

Implementation Example

Business leaders and cybersecurity risk management practitioners work together to estimate the likelihood and impact of risk scenarios and record them in risk registers

ID: ID.RA-04.159

Context

Function: ID: IDENTIFY
Category: ID.RA: Risk Assessment
Sub-Category: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub