Does your organization have a process to periodically review previously accepted risks that were deferred based on planned future actions or milestones?
Explanation
Organizations often accept certain security risks temporarily with the intention to address them at a future date when resources become available or when planned system changes occur.
Without a systematic review process, these temporarily accepted risks may be forgotten and remain unaddressed indefinitely, potentially creating security vulnerabilities.
Regular reviews ensure that accepted risks don't become permanent fixtures in your security posture and that planned mitigations are implemented according to schedule.
Evidence of fulfillment could include a risk register or tracking system that shows dates of risk acceptance, planned mitigation dates, review dates, and status updates. Documentation of periodic risk review meetings, including minutes that specifically address the status of previously accepted risks, would also serve as appropriate evidence.
Implementation Example
Periodically review risks that were accepted based upon planned future actions or milestones
ID: ID.RA-07.172
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?

