← Controls / RA

RA-07 Risk Response

Risk Assessment

Low Moderate High Privacy New in Rev 5

Description

Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.

Supplemental Guidance

Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.

Changes from Rev 4

New control in Rev 5.

Compliance Mappings

ISO 27001:2022

10.26.16.1.38.3

ISO 27002:2022

5.7

COBIT 2019

APO12EDM03

NIST CSF 2.0

GV.RM-04GV.SC-07ID.RA-05ID.RA-06ID.RA-07

SOC 2 TSC

CC3.2CC9.1

PCI DSS v4.0.1

12.3

CSA CCM v4

AA-03AA-06CEK-07

CSA AICM v1

A&A-03A&A-06CEK-07

FINOS CCC

CCC-C10

ISO 42001:2023

A.5.2A.5.3

IEC 62443

2-1 4.32-1 4.4

NIS2 Directive

Art. 21(2)(a)

MAS TRM

4

APRA CPS 234

Para 15Para 19-20Para 26

ANSSI

Hygiene.31Hygiene.36Hygiene.41RGS.3.1SecNumCloud.13.6SecNumCloud.7.2

FINMA Circular 2023/1

IV.A(38)IV.A(40)IV.A(42)IV.B.b(52)IV.B.c(53)IV.B.c(54)IV.B.c(55)IV.B.c(56)IV.B.d(58)V(101)V(107)

OSFI B-13

B-13.1.3B-13.1.4B-13.2.4B-13.3.1

EU GDPR

Art.32(1)Art.32(2)

EU DORA

Art.6(1)Art.6(2)Art.6(5)

BIO2

5.7

RBI CSF

ITGRCA.22ITGRCA.25

FISC Security Guidelines

FISC.O1FISC.O12

LGPD + BCB 4893

BCB.Art.3-Supp

HKMA TM-E-1

TME1.2.3

DNB Good Practice

DNB.10.2DNB.19.2DNB.4.2DNB.4.3

SAMA CSF

1.83.5

NCA ECC

1-52-10

UAE IA

T2

CBB TM

TM-11TM-4

Qatar NIA

OSRM

CBUAE

CR-2

CBE CSF

CRM-1

SA JS2

JS2-6.2

CBN CSF

Part2.1Part2.2

BoG CISD

CISD-III

POPIA

s19

BoM CTRM

1.42.15.3

IOSCO Cyber Resilience

GOV-3ID-3PFMI-3

BCBS 239

Principle 13Principle 6

CPMI-IOSCO PFMI

CG.LEPFMI.P3

FFIEC IS

II.AII.A.2II.BII.D

NYDFS 500

500.5500.9

HIPAA Security Rule

§164.308(a)(1)(ii)(A)§164.308(a)(1)(ii)(B)

ECB CROE

CROE.2.2.1CROE.2.8.1CROE.2.8.2

EBA ICT Guidelines

3.3.33.3.43.3.5

SEBI CSCRF

DE.VAGV.RMID.RAVAPT

BOT Cyber Resilience

Ch1.2

CMMC 2.0

RA

10 CFR 73.54

RG5.71-C-PL73.54(d)

TSA Pipeline SD

SD-1 Sec 4

DOE C2M2 v2.1

THREATRISK

API 1164

Sec 4

AWIA

Sec 2013(a)

IAEA NSS 17-T

Sec 4

FIPS 140-3

FIPS 140-3 §7.12

CBEST

CBEST.6

TIBER-EU

TIBER.CONFTIBER.REM

Solvency II

Art.44(1)Art.44(2)Art.45DR.260EIOPA-ICT-4.2

Lloyd's Minimum Standards

MS10.1MS10.2MS8.11

NAIC Insurance Data Security

4-monitoring4A4E

PRA SS1/23

P4.5P5.1

FCA SYSC 13

SYSC 13.5.2SYSC 13.5.3SYSC 13.8.4SYSC 13.8.5SYSC 13.G.2

HITRUST CSF v11

00.b03.a03.b

FDA 21 CFR Part 11

§11.2

FDA Cybersecurity Guidance

CRA-3INC-2MON-2SPDF-2TM-3TR-2VR-1VR-2

MiCA

Art.34(5)Art.35(1)Art.62(1)

Basel SCO60

SCO60.4SCO60.5SCO60.50SCO60.85

BSSC Standards

GSP-02