ID.RA-5

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Identify · Risk Assessment

Manual Attestation

Compliance Score

20%

Non-Compliant

Documentation Maturity

1/ 5

Target: 2.5

Implementation Maturity

1/ 5

Target: 2.5

Control Description

The organization uses identified threats and vulnerabilities, along with likelihood and impact analysis, to determine and prioritize cybersecurity risks.

Findings (1)

0/1 items compliant

Severity	Finding	Recommendation
high	Improvement needed: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk Current implementation does not fully meet the requirements of ID.RA-5.	Maintain a risk register combining threats, vulnerabilities, likelihood, and business impact. Use a simple risk matrix (likelihood x impact). Prioritize mitigation based on risk scores. Review quarterly.

Severity

Finding

high

Improvement needed: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Current implementation does not fully meet the requirements of ID.RA-5.

Remediation Guidance

Maintain a risk register combining threats, vulnerabilities, likelihood, and business impact. Use a simple risk matrix (likelihood x impact). Prioritize mitigation based on risk scores. Review quarterly.