ID.RA-06.164

Does your organization consistently apply the established risk treatment criteria (accept, transfer, mitigate, or avoid) when addressing identified vulnerabilities?

Explanation

This question assesses whether your organization follows a structured approach to vulnerability management by applying consistent criteria when deciding how to handle identified risks. Without clear criteria for risk treatment decisions, organizations may handle similar vulnerabilities inconsistently, potentially leaving critical vulnerabilities unaddressed while spending resources on less significant issues. Evidence could include documented risk treatment decisions that reference the established criteria, showing the rationale for accepting, transferring, mitigating, or avoiding specific vulnerabilities. This might take the form of vulnerability management meeting minutes, risk registers with treatment decisions, or completed risk assessment worksheets that demonstrate consistent application of the criteria.

Implementation Example

Apply the vulnerability management plan's criteria for deciding whether to accept, transfer, mitigate, or avoid risk

ID: ID.RA-06.164

Context

Function: ID: IDENTIFY
Category: ID.RA: Risk Assessment
Sub-Category: Risk responses are chosen, prioritized, planned, tracked, and communicated

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub