Does your organization have a documented process where business leaders and cybersecurity professionals collaboratively assess and record risk scenarios with their likelihood and impact in risk registers?
Explanation
Joint risk assessment is the subject: whether business leaders and security professionals collaboratively evaluate risk scenarios and record their likelihood and impact in risk registers.
Effective risk management requires input from both business stakeholders who understand operational impacts and security professionals who can assess technical vulnerabilities and threats.
This collaborative approach ensures risks are evaluated holistically with appropriate context for both likelihood and business impact.
Evidence of fulfillment could include a formal risk assessment methodology document, completed risk registers showing both business and security input, meeting minutes from risk assessment sessions with both teams present, or a risk management policy that explicitly requires this collaboration.
Implementation Example
Business leaders and cybersecurity risk management practitioners work together to estimate the likelihood and impact of risk scenarios and record them in risk registers
ID: ID.RA-04.159
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

