ID.RA-07.172

Does your organization have a process to periodically review previously accepted risks that were deferred based on planned future actions or milestones?

Explanation

Organizations often accept certain security risks temporarily with the intention to address them at a future date when resources become available or when planned system changes occur. Without a systematic review process, these temporarily accepted risks may be forgotten and remain unaddressed indefinitely, potentially creating security vulnerabilities. Regular reviews ensure that accepted risks don't become permanent fixtures in your security posture and that planned mitigations are implemented according to schedule. Evidence of fulfillment could include a risk register or tracking system that shows dates of risk acceptance, planned mitigation dates, review dates, and status updates. Documentation of periodic risk review meetings, including minutes that specifically address the status of previously accepted risks, would also serve as appropriate evidence.

Implementation Example

Periodically review risks that were accepted based upon planned future actions or milestones

ID: ID.RA-07.172

Context

Function: ID: IDENTIFY
Category: ID.RA: Risk Assessment
Sub-Category: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub