GRM-10: Risk Assessments

Control Family:

CSF v1.1 References:

ID.RA-1
ID.RA-3
ID.RA-4
ID.RA-5
ID.SC-2
PR.IP-12
RS.MI-3

PF v1.0 References:

ID.RA-P4
ID.DE-P2
PR.PO-P10

Control Statement

Aligned with the enterprise-wide framework, formal risk assessments shall be performed at least annually or at planned intervals, (and in conjunction with any changes to information systems) to determine the likelihood and impact of all identified risks using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk shall be determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance).

Control Statement

Related Controls

NIST Special Publication 800-53 Revision 5

NIST Special Publication 800-53 Revision 4