Does your organization consistently apply the established risk treatment criteria (accept, transfer, mitigate, or avoid) when addressing identified vulnerabilities?
Explanation
Consistent risk treatment is the focus: whether you apply established criteria, accept, transfer, mitigate, or avoid, every time you address an identified vulnerability. Without clear criteria for risk treatment decisions, organizations may handle similar vulnerabilities inconsistently, potentially leaving critical vulnerabilities unaddressed while spending resources on less significant issues.
Evidence could include documented risk treatment decisions that reference the established criteria, showing the rationale for accepting, transferring, mitigating, or avoiding specific vulnerabilities. This might take the form of vulnerability management meeting minutes, risk registers with treatment decisions, or completed risk assessment worksheets that demonstrate consistent application of the criteria.
Implementation Example
Apply the vulnerability management plan's criteria for deciding whether to accept, transfer, mitigate, or avoid risk
ID: ID.RA-06.164
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Risk responses are chosen, prioritized, planned, tracked, and communicated
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

