← Back to catalog
RA-7

Risk Response

Risk Assessment (RA)
Baselines
Low · IncludedModerate · IncludedHigh · Included
Description

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

Discussion

Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.

Implementation guidance

No content available.

CSF 2.0 crosswalk
GV.OC-05Outcomes, capabilities, and services that the organization depends on are understood and communicatedGovern
GV.OV-01Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and directionGovern
GV.OV-02The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risksGovern
GV.OV-03Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments neededGovern
GV.RM-01Risk management objectives are established and agreed to by organizational stakeholdersGovern
GV.RM-03Cybersecurity risk management activities and outcomes are included in enterprise risk management processesGovern
GV.SC-03Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processesGovern
GV.SC-09Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycleGovern
GV.SC-10Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreementGovern
ID.IM-01Improvements are identified from evaluationsIdentify
ID.IM-02Identify
ID.IM-03Improvements are identified from execution of operational processes, procedures, and activitiesIdentify
ID.RA-05Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritizationIdentify
ID.RA-06Risk responses are chosen, prioritized, planned, tracked, and communicatedIdentify
RS.AN-08An incident's magnitude is estimated and validatedRespond