Risk Assessment
Understand cybersecurity risks to operations and assets.
9 of 9 frameworks cover this control
Framework Mappings
How Risk Assessment maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | ID.RA-01 ID.RA-02 |
| ISO 27001 | Covered | A.8.2 A.8.3 |
| CIS v8 | Covered | CIS 7.1 |
| SOC 2 | Covered | CC3.2 CC3.4 |
| PCI DSS | Covered | 6.3.1 11.3.1 12.3.1 |
| CMMC | Covered | RM.L2-3.11.1 RA.L2-3.11.2 |
| 800-53 | Covered | RA-3 RA-5 |
| HIPAA | Covered | §164.308(a)(1)(ii)(A) |
| GDPR | Covered | Art.35(1) Art.35(7) |
About Risk Assessment
Risk Assessment is a cybersecurity control in the Identify domain. Understand cybersecurity risks to operations and assets. Risk assessments provide a structured evaluation of threats, vulnerabilities, and potential impacts to organizational assets and operations. Practitioners typically use qualitative or quantitative methodologies to score risks, employing tools like vulnerability scanners, penetration tests, and threat modeling to gather data. Assessments should be performed at least annually and whenever significant changes occur, such as new system deployments, mergers, or emerging threat vectors, with findings documented and tracked through remediation.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.