RSK-01: Risk Management Program
Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.
Control Question: Does the organization facilitate the implementation of strategic, operational and tactical risk management controls?
General (63)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | A1.2-POF1 CC3.1 CC3.2-POF1 CC3.2-POF3 CC3.2-POF5 CC3.4-POF1 CC3.4-POF2 CC3.4-POF3 CC3.4-POF4 CC3.4-POF5 CC4.1 CC5.1 CC9.1 |
| BSI Standard 200-1 | 10.2.1 |
| CIS CSC 8.1 | 16.6 |
| CIS CSC 8.1 IG2 | 16.6 |
| CIS CSC 8.1 IG3 | 16.6 |
| COBIT 2019 | EDM03.01 EDM03.02 EDM03.03 APO12.01 APO12.02 APO12.03 APO12.04 APO12.05 APO12.06 |
| COSO 2017 | Principle 3 Principle 6 Principle 10 Principle 16 Principle 20 |
| CSA CCM 4 | CEK-07 GRC-02 |
| CSA IoT SCF 2 | RSM-01 RSM-02 |
| ENISA 2.0 | SO2 |
| GovRAMP Low | RA-01 |
| GovRAMP Low+ | RA-01 |
| GovRAMP Moderate | RA-01 |
| GovRAMP High | RA-01 |
| IEC TR 60601-4-5 2021 | 4.1 |
| IMO Maritime Cyber Risk Management | 3.5 3.5.1 |
| ISO/SAE 21434 2021 | RQ-06-23 RQ-06-24 RQ-06-25 RQ-06-26 RQ-06-27 RQ-06-28.a RQ-06-28.b RQ-06-29 RQ-06-30.a RQ-06-30.b RQ-06-30.c RQ-06-30.d RQ-06-31 RQ-06-32 |
| ISO 22301 2019 | 8.2 8.2.1 |
| ISO 27001 2022 (source) | 6.1 6.1.1 6.1.1(a) 6.1.1(b) 6.1.1(c) 6.1.1(d) 6.1.1(e)(1) 6.1.1(e)(2) 6.1.2 6.1.2(a) 6.1.2(a)(1) 6.1.2(a)(2) 6.1.2(b) 6.1.2(c) 6.1.2(c)(1) 6.1.2(c)(2) 6.1.2(d) 6.1.2(d)(1) 6.1.2(d)(2) 6.1.2(d)(3) 6.1.2(e) 6.1.2(e)(1) 6.1.2(e)(2) 8.2 |
| ISO 27002 2022 | 7.5 |
| ISO 27017 2015 | 11.1.4 |
| ISO 27701 2025 | 6.1.2 |
| ISO 31000 2009 | 4.1 4.2 4.3 4.4 4.5 4.6 |
| ISO 31010 2009 | 4.1 4.2 4.3.1 4.3.2 5.1 |
| ISO 42001 2023 | 6.1.1 6.1.2 6.1.2(a) 6.1.2(b) 6.1.2(c) 6.1.2(d) 6.1.2(e) 6.1.3 6.1.3(a) 6.1.3(b) 6.1.3(c) 6.1.3(d) 6.1.3(e) 6.1.3(f) 6.1.3(g) 8.2 A.5 |
| MPA Content Security Program 5.1 | OR-2.0 |
| NAIC Insurance Data Security Model Law (MDL-668) | 4.C(5) 4.D(1) 4.D(3) |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 1.3 GOVERN 1.4 GOVERN 1.5 MANAGE 1.0 |
| NIST AI 600-1 | GOVERN 1.4 |
| NIST Privacy Framework 1.0 | ID.DE-P1 GV.PO-P6 GV.RM-P1 |
| NIST 800-37 R2 | P-2 |
| NIST 800-39 | 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 |
| NIST 800-53 R4 | PM-9 RA-1 |
| NIST 800-53 R4 (low) | RA-1 |
| NIST 800-53 R4 (moderate) | RA-1 |
| NIST 800-53 R4 (high) | RA-1 |
| NIST 800-53 R5 (source) | PM-9 PM-29 RA-1 |
| NIST 800-53B R5 (privacy) (source) | RA-1 |
| NIST 800-53B R5 (low) (source) | RA-1 |
| NIST 800-53B R5 (moderate) (source) | RA-1 |
| NIST 800-53B R5 (high) (source) | RA-1 |
| NIST 800-53 R5 (NOC) (source) | PM-9 PM-29 |
| NIST 800-82 R3 LOW OT Overlay | RA-1 |
| NIST 800-82 R3 MODERATE OT Overlay | RA-1 |
| NIST 800-82 R3 HIGH OT Overlay | RA-1 |
| NIST 800-160 | 3.3.4 |
| NIST 800-161 R1 | PM-9 PM-29 RA-1 |
| NIST 800-161 R1 C-SCRM Baseline | RA-1 |
| NIST 800-161 R1 Level 1 | PM-9 PM-29 RA-1 |
| NIST 800-161 R1 Level 2 | RA-1 |
| NIST 800-161 R1 Level 3 | RA-1 |
| NIST 800-171 R2 (source) | NFO-RA-1 |
| NIST 800-171 R3 (source) | 03.11.01.a 03.17.01.a |
| NIST 800-171A R3 (source) | A.03.17.03.b |
| NIST CSF 2.0 (source) | GV GV.OV-02 GV.OV-03 GV.RM GV.RM-01 GV.RM-03 GV.RM-04 GV.RM-06 GV.RR-01 GV.SC GV.SC-01 GV.SC-03 GV.SC-05 GV.SC-09 ID ID.IM ID.RA PR PR.IR |
| PCI DSS 4.0.1 (source) | 12.3 |
| SWIFT CSF 2023 | 7.4A |
| TISAX ISA 6 | 1.4.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | RSK-01 |
| SCF CORE ESP Level 1 Foundational | RSK-01 |
| SCF CORE ESP Level 2 Critical Infrastructure | RSK-01 |
| SCF CORE ESP Level 3 Advanced Threats | RSK-01 |
| SCF CORE AI Model Deployment | RSK-01 |
US (36)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | RISK-1.A.MIL1 RISK-1.B.MIL2 RISK-1.C.MIL2 RISK-1.D.MIL2 RISK-1.E.MIL2 RISK-1.F.MIL2 RISK-1.G.MIL3 RISK-1.H.MIL3 RISK-5.A.MIL2 |
| US CERT RMM 1.2 | RISK:SG1.SP2 RISK:SG2.SP1 RISK:SG2.SP2 RISK:SG3.SP1 RISK:SG3.SP2 RISK:SG4.SP1 RISK:SG4.SP2 RISK:SG4.SP3 RISK:SG5.SP1 RISK:SG5.SP2 RISK:SG6.SP1 RISK:SG6.SP2 |
| US CMS MARS-E 2.0 | PM-9 RA-1 |
| US DoD Zero Trust Execution Roadmap | 3.3 |
| US DoD Zero Trust Reference Architecture 2.0 | 8.6 |
| US DHS ZTCF | DEV-05 |
| US FCA CRM | 609.930(a) |
| US FedRAMP R4 | RA-1 |
| US FedRAMP R4 (low) | RA-1 |
| US FedRAMP R4 (moderate) | RA-1 |
| US FedRAMP R4 (high) | RA-1 |
| US FedRAMP R4 (LI-SaaS) | RA-1 |
| US FedRAMP R5 (source) | RA-1 |
| US FedRAMP R5 (low) (source) | RA-1 |
| US FedRAMP R5 (moderate) (source) | RA-1 |
| US FedRAMP R5 (high) (source) | RA-1 |
| US FedRAMP R5 (LI-SaaS) (source) | RA-1 |
| US FFIEC | D1.G.Ov.B.1 D1.G.Ov.B.3 D1.G.Ov.E.1 D1.G.SP.E.1 D1.G.Ov.Int.1 D1.G.Ov.Int.3 D1.G.SP.A.4 |
| US GLBA CFR 314 2023 (source) | 314.4(b) |
| US HIPAA Administrative Simplification 2013 (source) | 164.306(a)(3) 164.306(b)(2)(iv) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.306(a)(3) 164.306(b)(2)(iv) |
| US IRS 1075 | PM-9 RA-1 |
| US NERC CIP 2024 (source) | CIP-013-2 1.1 |
| US NISPOM 2020 | 8-103 8-610 |
| US NNPI (unclass) | 14.1 |
| US SEC Cybersecurity Rule | 17 CFR 229.105(a) 17 CFR 229.106(b)(1) 17 CFR 229.106(b)(1)(i) |
| US SOX | Sec 404 |
| US SSA EIESR 8.0 | 5.6 |
| US - MA 201 CMR 17.00 | 17.03(2)(b) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.2(b)(1) 500.3(m) 500.9(a) 500.9(b) |
| US - NY SHIELD Act S5575B | 4(2)(b)(ii)(A)(2) 4(2)(b)(ii)(A)(3) 4(2)(b)(ii)(B)(1) 4(2)(b)(ii)(B)(2) 4(2)(b)(ii)(C)(1) |
| US - OR 646A | 622(2)(d)(A)(ii) |
| US - TX DIR Control Standards 2.0 | PM-9 RA-1 |
| US - TX TX-RAMP Level 1 | RA-1 |
| US - TX TX-RAMP Level 2 | RA-1 |
| US - VT Act 171 of 2018 | 2447(b)(2) |
EMEA (23)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 17.1(g) 8.1 9.1 9.2 9.4 9.5 9.9 |
| EMEA EU EBA GL/2019/04 | 3.2.3(7) 3.3.1(10) 3.3.1(13)(a) 3.3.1(13)(b) 3.3.1(13)(c) 3.3.1(13)(d) 3.3.1(13)(e) 3.3.1(13)(f) 3.3.1(14) |
| EMEA EU DORA | 11.6 6.1 6.10 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.8(a) 6.8(b) 6.8(c) 6.8(d) 6.8(e) 6.8(f) 6.8(g) 6.8(h) 6.9 |
| EMEA EU GDPR (source) | 32.2 |
| EMEA EU NIS2 | 21.1 21.2(a) 21.2(d) 21.2(f) |
| EMEA EU NIS2 Annex | 2.1.1 2.1.2 2.1.2(a) 2.1.2(c) 2.1.2(d) 6.1.1 6.1.3 6.10.2(d) 7.1 7.3 |
| EMEA Austria | Sec 14 Sec 15 |
| EMEA Belgium | 16 |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 12.3 |
| EMEA Germany C5 2020 | OIS-06 |
| EMEA Israel CDMO 1.0 | 1.2 2.1 2.2 |
| EMEA Saudi Arabia CSCC-1 2019 | 1-2 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-4-1 |
| EMEA Saudi Arabia ECC-1 2018 | 1-5-1 1-5-2 1-5-4 |
| EMEA Saudi Arabia OTCC-1 2022 | 1-3 1-3-1 1-3-1-1 |
| EMEA Saudi Arabia SACS-002 | TPC-31 |
| EMEA Saudi Arabia SAMA CSF 1.0 | 3.2.1 |
| EMEA South Africa | 19 |
| EMEA Spain BOE-A-2022-7191 | 7.1 7.2 |
| EMEA Spain 311/2022 | 7.1 7.2 |
| EMEA UK CAF 4.0 | A2 A2.a |
| EMEA UK CAP 1850 | A2 |
| EMEA UK DEFSTAN 05-138 | 1200 1201 1204 |
APAC (8)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0726 |
| APAC Australia Prudential Standard CPS230 | 12(a) 12(c) 13 16(a) 16(b) 16(c) 16(d) 16(e) 16(f) 17 18 19(a) 19(b) 19(c) 19(d) 19(e) |
| APAC India SEBI CSCRF | GV.RM.S1 |
| APAC Japan ISMAP | 4.4.6 4.4.6.1 4.4.7 11.1.4 |
| APAC New Zealand HISF 2022 | HHSP30 HML30 HSUP26 |
| APAC New Zealand HISF Suppliers 2023 | HSUP26 |
| APAC New Zealand NZISM 3.6 | 5.1.9.C.01 5.3.6.C.01 5.3.7.C.01 5.3.8.C.01 5.3.9.C.01 |
| APAC Singapore MAS TRM 2021 | 4.1.1 4.1.2 4.1.5 |
Americas (4)
| Framework | Mapping Values |
|---|---|
| Americas Bermuda BMACCC | 5.3 5.8 |
| Americas Canada CSAG | 1.3 6.4 6.8 6.16 6.24 |
| Americas Canada OSFI B-13 | 1.3 1.3.1 1.3.2 3.1.1 |
| Americas Canada ITSP-10-171 | 03.11.01.A 03.17.01.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to facilitate the implementation of strategic, operational and tactical risk management controls.
Level 1 — Performed Informally
Risk Management efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- IT personnel use an informal process to identify, assess, remediate and report on risk.
- Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.
- Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 2 — Planned & Tracked
Risk Management efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for risk management. o Implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.
- Risk management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.
- Data/process owners work with IT/cybersecurity personnel and Data Protection Officers (DPOs) to ensure applicable statutory, regulatory and contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.
- IT/cybersecurity personnel:
- Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 3 — Well Defined
Risk Management efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Analyzes the organization's business strategy to determine prioritized and authoritative guidance for Risk Management (RM) practices. o Develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for RM. o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to RM. o Maintains a common taxonomy of risk-relevant terminology to minimize assumptions and misunderstandings. o Enables data/process owners to conduct annual risk assessment of their operations that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's systems and data. o Assists users in making informed risk decisions to ensure data and processes are appropriately protected. o Enables the documentation of risk assessments, risk response and risk monitoring to support statutory, regulatory and contractual obligations for risk management practices. o Maintains a centralized risk register to reflect an active recording and disposition of identified risks. The risk register identifies and assigns a risk ranking to vulnerabilities and risks that is based on industry-recognized practices and facilitates monitoring and reporting of those risks. o Governs supply chain risks associated with the development, acquisition, maintenance and disposal of systems, system components and services.
- A formal Risk Management Program (RMP) provides enterprise-wide guidance on how risk is to be identified, framed (e.g., risk appetite, risk tolerance, risk thresholds, etc.) assessed, mitigated/remediated and reported.
- Criteria to define materiality for risk management decisions is defined.
- A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including appropriately resourcing risk management operations.
- A formally-documented Cybersecurity Supply Chain Risk Management (C-SCRM) plan exists to identify, assess and mitigate supply chain-related risks and threats;
- The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns,
- A Governance, Risk & Compliance (GRC) function, or similar function:
- An IT Asset Management (ITAM) function, or similar function, categorizes assets according to the data the asset stores, transmits and/ or processes, applying the appropriate technology controls to protect the asset and data.
Level 4 — Quantitatively Controlled
Risk Management efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the implementation of strategic, operational and tactical risk management controls.
Assessment Objectives
- RSK-01_A01 a comprehensive strategy is developed to manage cybersecurity / data privacy risk to organizational operations and assets, individuals and other organizations associated with the operation and use of organizational systems.
- RSK-01_A02 the risk management strategy is implemented consistently across the organization.
- RSK-01_A03 a senior organizational position for Risk Management aligns cybersecurity / data privacy management processes with strategic, operational and budgetary planning processes.
- RSK-01_A04 for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy.
- RSK-01_A05 the frequency at which to review / update the risk management strategy is defined.
- RSK-01_A06 the risk management strategy is reviewed / updated per an organization-defined frequency or as required to address organizational changes.
- RSK-01_A07 a senior organizational position for Risk Management is appointed.
- RSK-01_A08 a risk executive function is established.
- RSK-01_A09 a risk executive function views and analyzes risk from an organization-wide perspective.
- RSK-01_A10 a risk executive function ensures that the management of risk is consistent across the organization.
- RSK-01_A11 organization-defined security requirements are enforced to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences of supply chain-related events.
- RSK-01_A12 the following security requirements are enforced to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences of supply chain-related events: <A.03.17.03.ODP[01]: security requirements>.
- RSK-01_A13 risk management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
- RSK-01_A14 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support risk management operations.
- RSK-01_A15 responsibility and authority for the performance of risk management-related activities are assigned to designated personnel.
- RSK-01_A16 personnel performing risk management-related activities have the skills and knowledge needed to perform their assigned duties.
Evidence Requirements
- E-RSK-01 Risk Management Program (RMP)
-
Documented evidence of a Risk Management Program (RMP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.
Risk Management
Technology Recommendations
Micro/Small
- Risk Management Program (RMP)
Small
- Risk Management Program (RMP)
Medium
- Risk Management Program (RMP)
Large
- Risk Management Program (RMP)
Enterprise
- Risk Management Program (RMP)