Does your organization use risk assessment findings to inform and prioritize risk response decisions and actions?
Explanation
Turning findings into action is the focus: reviewers want assurance that risk assessment results actually inform and prioritize your risk response decisions. Effective risk management requires not just identifying risks but using those findings to make informed decisions about risk treatment options (accept, mitigate, transfer, or avoid) and to prioritize security investments based on risk severity and business impact.
Evidence could include documented risk treatment plans that reference specific risk assessment findings, meeting minutes showing risk-based decision making, or a risk register that tracks identified risks alongside corresponding response actions and their implementation status.
Implementation Example
Use risk assessment findings to inform risk response decisions and actions
ID: ID.RA-06.167
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Risk responses are chosen, prioritized, planned, tracked, and communicated
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

