RSK-04: Risk Assessment
Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).
Control Question: Does the organization conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of its Technology Assets, Applications, Services and/or Data (TAASD)?
General (66)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | A1.2 CC3.1-POF16 CC3.2-POF1 CC3.2-POF2 CC3.2-POF3 CC3.2-POF6 CC3.2-POF8 CC3.2-POF9 CC3.4-POF1 CC3.4-POF2 CC3.4-POF3 CC3.4-POF4 CC3.4-POF5 CC7.3 |
| COBIT 2019 | APO12.02 |
| COSO 2017 | Principle 7 Principle 11 |
| CSA CCM 4 | CEK-07 |
| CSA IoT SCF 2 | RSM-01 |
| ENISA 2.0 | SO2 |
| Generally Accepted Privacy Principles (GAPP) | 1.2.4 |
| GovRAMP Low | RA-03 |
| GovRAMP Low+ | RA-03 |
| GovRAMP Moderate | RA-03 |
| GovRAMP High | RA-03 |
| IEC TR 60601-4-5 2021 | 4.6.2 |
| IMO Maritime Cyber Risk Management | 3.5.2 3.5.2.3 |
| ISO/SAE 21434 2021 | RQ-06-23 RQ-06-24 RQ-06-25 RQ-06-26 RQ-06-27 RQ-06-28.a RQ-06-28.b RQ-06-29 RQ-06-30.a RQ-06-30.b RQ-06-30.c RQ-06-30.d RQ-06-31 RQ-06-32 |
| ISO 22301 2019 | 8.2.3 |
| ISO 27001 2022 (source) | 6.1.2(d) 6.1.2(d)(1) 6.1.2(d)(2) 6.1.2(d)(3) 6.1.2(e) 6.1.2(e)(1) 6.1.2(e)(2) 8.2 |
| ISO 27002 2022 | 5.8 7.5 |
| ISO 27017 2015 | 11.1.4 |
| ISO 27701 2025 | 6.1.2(e) |
| ISO 31000 2009 | 5.4 |
| ISO 31010 2009 | 4.3.4 5.3.1 5.3.4 5.3.5 5.3.6 5.4 5.5 6.7 |
| ISO 42001 2023 | 6.1.2 6.1.2(a) 6.1.2(b) 6.1.2(c) 6.1.2(d) 6.1.2(d)(1) 6.1.2(d)(2) 6.1.2(d)(3) 6.1.2(e) 6.1.2(e)(1) 6.1.2(e)(2) 8.2 A.5.3 A.5.4 A.5.5 |
| MPA Content Security Program 5.1 | OR-2.0 |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 1.5 MANAGE 1.0 |
| NIST Privacy Framework 1.0 | ID.DE-P1 ID.DE-P5 GV.MT-P1 |
| NIST 800-37 R2 | P-3 P-14 R-2 |
| NIST 800-39 | 3.2 |
| NIST 800-53 R4 | RA-3 |
| NIST 800-53 R4 (low) | RA-3 |
| NIST 800-53 R4 (moderate) | RA-3 |
| NIST 800-53 R4 (high) | RA-3 |
| NIST 800-53 R5 (source) | RA-3 |
| NIST 800-53B R5 (privacy) (source) | RA-3 |
| NIST 800-53B R5 (low) (source) | RA-3 |
| NIST 800-53B R5 (moderate) (source) | RA-3 |
| NIST 800-53B R5 (high) (source) | RA-3 |
| NIST 800-82 R3 LOW OT Overlay | RA-3 |
| NIST 800-82 R3 MODERATE OT Overlay | RA-3 |
| NIST 800-82 R3 HIGH OT Overlay | RA-3 |
| NIST 800-161 R1 | RA-3 |
| NIST 800-161 R1 C-SCRM Baseline | RA-3 |
| NIST 800-161 R1 Level 1 | RA-3 |
| NIST 800-161 R1 Level 2 | RA-3 |
| NIST 800-161 R1 Level 3 | RA-3 |
| NIST 800-171 R2 (source) | 3.11.1 |
| NIST 800-171A (source) | 3.11.1[a] 3.11.1[b] |
| NIST 800-171 R3 (source) | 03.11.01.a |
| NIST 800-171A R3 (source) | A.03.11.01.a A.03.11.01.b |
| NIST 800-172 | 3.11.1e 3.11.5e |
| NIST CSF 2.0 (source) | GV.RM-06 ID ID.RA-01 ID.RA-05 |
| PCI DSS 4.0.1 (source) | 12.3 12.3.1 12.3.2 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 12.3.1 |
| PCI DSS 4.0.1 SAQ C (source) | 12.3.1 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 12.3.1 12.3.2 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 12.3.1 |
| SWIFT CSF 2023 | 7.4A |
| TISAX ISA 6 | 1.4.1 |
| UL 2900-1 2017 | 5.1 |
| UN R155 | 7.3.3 |
| UN ECE WP.29 | 7.3.3 |
| SCF CORE Fundamentals | RSK-04 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | RSK-04 |
| SCF CORE ESP Level 1 Foundational | RSK-04 |
| SCF CORE ESP Level 2 Critical Infrastructure | RSK-04 |
| SCF CORE ESP Level 3 Advanced Threats | RSK-04 |
| SCF CORE AI Model Deployment | RSK-04 |
US (38)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | RISK-2.G.MIL2 RISK-3.A.MIL1 |
| US CERT RMM 1.2 | RISK:SG2.SP1 RISK:SG2.SP2 RISK:SG3.SP1 RISK:SG3.SP2 RISK:SG4.SP1 RISK:SG4.SP2 RISK:SG4.SP3 RISK:SG5.SP1 RISK:SG5.SP2 |
| US CMMC 2.0 Level 2 (source) | RA.L2-3.11.1 |
| US CMMC 2.0 Level 3 (source) | RA.L2-3.11.1 RA.L3-3.11.1E RA.L3-3.11.5E |
| US CMS MARS-E 2.0 | RA-3 |
| US DHS ZTCF | DEV-05 |
| US FCA CRM | 609.930(a) 609.930(c)(1) |
| US FedRAMP R4 | RA-3 |
| US FedRAMP R4 (low) | RA-3 |
| US FedRAMP R4 (moderate) | RA-3 |
| US FedRAMP R4 (high) | RA-3 |
| US FedRAMP R4 (LI-SaaS) | RA-3 |
| US FedRAMP R5 (source) | RA-3 |
| US FedRAMP R5 (low) (source) | RA-3 |
| US FedRAMP R5 (moderate) (source) | RA-3 |
| US FedRAMP R5 (high) (source) | RA-3 |
| US FedRAMP R5 (LI-SaaS) (source) | RA-3 |
| US FFIEC | D1.RM.RA.B.1 D1.RM.RA.E.2 D1.RM.RA.E.1 |
| US GLBA CFR 314 2023 (source) | 314.4(b) 314.4(b)(1) 314.4(b)(1)(i) 314.4(b)(1)(ii) 314.4(b)(1)(iii) |
| US HIPAA Administrative Simplification 2013 (source) | 164.306(b)(2)(iv) 164.308(a)(1)(ii)(A) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.306(b)(2)(iv) 164.308(a)(1)(ii)(A) |
| US HIPAA HICP Medium Practice | 7.M.C |
| US HIPAA HICP Large Practice | 7.M.C 9.L.A |
| US IRS 1075 | RA-3 |
| US NERC CIP 2024 (source) | CIP-004-7 R3 |
| US NISPOM 2020 | 8-402 |
| US NNPI (unclass) | 14.1 |
| US SEC Cybersecurity Rule | 17 CFR 229.106(a) 17 CFR 229.106(b)(1) 17 CFR 229.106(b)(1)(i) |
| US SSA EIESR 8.0 | 5.6 |
| US - CA CCPA 2025 | 7152(a) 7155(a) |
| US - MA 201 CMR 17.00 | 17.03(2)(b) |
| US - NV NOGE Reg 5 | 5.260.3 |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.2(b)(1) 500.9(a) 500.9(b) 500.9(b)(1) 500.9(b)(2) |
| US - NY SHIELD Act S5575B | 4(2)(b)(ii)(A)(2) 4(2)(b)(ii)(A)(3) 4(2)(b)(ii)(B)(1) 4(2)(b)(ii)(B)(2) 4(2)(b)(ii)(C)(1) |
| US - OR 646A | 622(b)(A)(ii) |
| US - TX DIR Control Standards 2.0 | RA-3 |
| US - TX TX-RAMP Level 1 | RA-3 |
| US - TX TX-RAMP Level 2 | RA-3 |
EMEA (20)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 9.2(c) |
| EMEA EU EBA GL/2019/04 | 3.3.1(10) 3.3.1(13)(b) 3.3.3(20) 3.7.2(82) |
| EMEA EU DORA | 8.3 8.7 |
| EMEA EU NIS2 | 21.1 |
| EMEA EU NIS2 Annex | 2.1.1 2.1.2 2.1.2(e) 2.1.2(f) 2.1.3 6.1.1 |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 3.10 |
| EMEA Germany C5 2020 | OIS-07 SP-03 |
| EMEA Israel CDMO 1.0 | 1.2 2.2 |
| EMEA Saudi Arabia CSCC-1 2019 | 1-2-1-1 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-4-1 1-4-4 |
| EMEA Saudi Arabia ECC-1 2018 | 1-5-3 |
| EMEA Saudi Arabia OTCC-1 2022 | 1-3-1-2 |
| EMEA Saudi Arabia SACS-002 | TPC-31 |
| EMEA Saudi Arabia SAMA CSF 1.0 | 3.2.1.2 |
| EMEA South Africa | 19 |
| EMEA Spain BOE-A-2022-7191 | 14.1 14.2 3.2 |
| EMEA Spain 311/2022 | 14.1 14.2 3.2 |
| EMEA Spain CCN-STIC 825 | 7.1.1 [OP.PL.1] |
| EMEA UK CAP 1850 | A2 |
| EMEA UK DEFSTAN 05-138 | 1200 1202 1204 |
APAC (7)
| Framework | Mapping Values |
|---|---|
| APAC Australia Prudential Standard CPS230 | 27(a) 27(b) 27(c) 28 |
| APAC India SEBI CSCRF | ID.RA.S1 ID.RA.S2 |
| APAC Japan ISMAP | 4.4.7 4.4.7.1 4.4.7.3 4.4.7.4 4.5.5 4.5.5.1 4.6 4.6.1 11.1.4 |
| APAC New Zealand HISF 2022 | HHSP32 HML32 HSUP28 |
| APAC New Zealand HISF Suppliers 2023 | HSUP28 |
| APAC New Zealand NZISM 3.6 | 2.3.27.C.01 2.3.27.C.02 5.9.23.C.01 23.2.16.C.02 |
| APAC Singapore MAS TRM 2021 | 4.1.4(b) 4.3.2 |
Americas (4)
| Framework | Mapping Values |
|---|---|
| Americas Bermuda BMACCC | 5.5 |
| Americas Canada CSAG | 2.1 6.8 |
| Americas Canada OSFI B-13 | 1.3 3.1.1 |
| Americas Canada ITSP-10-171 | 03.11.01.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of its Technology Assets, Applications, Services and/or Data (TAASD).
Level 1 — Performed Informally
Risk Management efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- IT personnel use an informal process to identify, assess, remediate and report on risk.
- Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.
- Risk management processes (e.g., risk assessments) focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 2 — Planned & Tracked
Risk Management efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for risk management. o Implement and maintain a form of Risk Management Program (RMP) that provides operational guidance on how risk is identified, assessed, remediated and reported.
- Risk management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- Data/process owners are expected to self-manage risks associated with their systems, applications, services and data, based on the organization's published policies and standards, including the identification, remediation and reporting of risks.
- Data/process owners work with IT/cybersecurity personnel and Data Protection Officers (DPOs) to ensure applicable statutory, regulatory and contractual obligations are properly addressed, including the storage, transmission and processing of sensitive/regulated data.
- IT/cybersecurity personnel:
- Risk management processes (e.g., risk assessments) and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Level 3 — Well Defined
Risk Management efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Analyzes the organization's business strategy to determine prioritized and authoritative guidance for Risk Management (RM) practices. o Develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for RM. o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to RM. o Maintains a common taxonomy of risk-relevant terminology to minimize assumptions and misunderstandings. o Enables data/process owners to conduct annual risk assessment of their operations that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD). o Assists users in making informed risk decisions to ensure data and processes are appropriately protected. o Enables the documentation of risk assessments, risk response and risk monitoring to support statutory, regulatory and contractual obligations for risk management practices. o Maintains a centralized risk register to reflect an active recording and disposition of identified risks. The risk register identifies and assigns a risk ranking to vulnerabilities and risks that is based on industry-recognized practices and facilitates monitoring and reporting of those risks. o Governs supply chain risks associated with the development, acquisition, maintenance and disposal of systems, system components and services.
- A formal Risk Management Program (RMP) provides enterprise-wide guidance on how risk is to be identified, framed (e.g., risk appetite, risk tolerance, risk thresholds, etc.) assessed, mitigated/remediated and reported.
- Criteria to define materiality for risk management decisions is defined.
- A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including appropriately resourcing risk management operations.
- A formally-documented Cybersecurity Supply Chain Risk Management (C-SCRM) plan exists to identify, assess and mitigate supply chain-related risks and threats;
- The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns,
- A Governance, Risk & Compliance (GRC) function, or similar function:
- An IT Asset Management (ITAM) function, or similar function, categorizes assets according to the data the asset stores, transmits and/ or processes, applying the appropriate technology controls to protect the asset and data.
Level 4 — Quantitatively Controlled
Risk Management efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of its Technology Assets, Applications, Services and/or Data (TAASD).
Assessment Objectives
- RSK-04_A01 the frequency to assess risk to organizational operations, organizational assets and individuals is defined.
- RSK-04_A02 a document in which risk assessment results are to be documented (if not documented in the cybersecurity / data privacy plans or risk assessment report) is defined.
- RSK-04_A03 a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification or destruction of the system. the information it processes, stores or transmits. and any related information.
- RSK-04_A04 personnel or roles to whom risk assessment results are to be disseminated is/are defined.
- RSK-04_A05 risk assessment results are disseminated to personnel or roles.
- RSK-04_A06 the frequency to update the risk assessment is defined.
- RSK-04_A07 the frequency to review risk assessment results is defined.
- RSK-04_A08 a risk assessment is conducted to identify threats to and vulnerabilities in the system.
- RSK-04_A09 security solutions are identified.
- RSK-04_A10 current and accumulated threat intelligence is identified.
- RSK-04_A11 Anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence is identified.
- RSK-04_A12 the effectiveness of security solutions is assessed frequency to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.
- RSK-04_A13 a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of Personal Data (PD).
- RSK-04_A14 risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments.
- RSK-04_A15 risk assessment results are documented per organization-defined criteria.
- RSK-04_A16 risk assessment results are reviewed frequently.
- RSK-04_A17 the risk assessment is updated frequently or when there are significant changes to the system, its environment of operation or other conditions that may impact the cybersecurity / data privacy state of the system.
- RSK-04_A18 risk to organizational operations, organizational assets and individuals resulting from the operation of an organizational system that processes, stores or transmits sensitive / regulated data is assessed with the defined frequency.
- RSK-04_A19 the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of sensitive / regulated data is assessed.
- RSK-04_A20 risk assessments are updated per an organization-defined frequency.
- RSK-04_A21 the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI is assessed.
- RSK-04_A22 risk assessments are updated <A.03.11.01.ODP[01]: frequency>.
Evidence Requirements
- E-RSK-04 Cybersecurity Risk Assessment (RA)
-
Documented evidence of a cybersecurity-specific risk assessment.
Risk Management
Technology Recommendations
Micro/Small
- Risk Management Program (RMP)
- Risk assessment
- Business Impact Analysis (BIA)
- Data Protection Impact Assessment (DPIA)
Small
- Risk Management Program (RMP)
- Risk assessment
- Business Impact Analysis (BIA)
- Data Protection Impact Assessment (DPIA)
Medium
- Risk Management Program (RMP)
- Risk assessment
- Business Impact Analysis (BIA)
- Data Protection Impact Assessment (DPIA)
Large
- Risk Management Program (RMP)
- Risk assessment
- Business Impact Analysis (BIA)
- Data Protection Impact Assessment (DPIA)
Enterprise
- Risk Management Program (RMP)
- Risk assessment
- Business Impact Analysis (BIA)
- Data Protection Impact Assessment (DPIA)