Does your organization have a documented process for communicating risk responses to affected stakeholders in a prioritized manner?
Explanation
Closing the loop with stakeholders is what's being assessed: reviewers want a documented process for communicating risk responses to affected parties in priority order. Effective risk response communication helps stakeholders understand potential impacts, required actions, and timelines for risk mitigation.
Evidence could include a risk communication plan, documented communication workflows showing prioritization criteria, meeting minutes from risk review sessions with stakeholders, or templates used for risk response notifications that demonstrate prioritization methodology.
Implementation Example
Communicate planned risk responses to affected stakeholders in priority order
ID: ID.RA-06.168
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Risk responses are chosen, prioritized, planned, tracked, and communicated
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

