ID.RA-5: Risk Determination – NIST Cybersecurity Framework
Risk determination is the analytical foundation of effective cybersecurity. NIST CSF control ID.RA-5 requires organizations to synthesize threats, vulnerabilities, likelihood, and impact data into actionable risk assessments. Without this systematic approach, you cannot prioritize remediation efforts or allocate security resources effectively.
What this means
ID.RA-5 mandates that your organization combine four key inputs—identified threats, known vulnerabilities, the likelihood of exploitation, and the potential business impact—to calculate and document risk levels for assets and processes. This control transforms raw security data into quantifiable risk scores that inform decision-making at every level, from tactical patching schedules to strategic security investments. The goal is moving beyond reactive incident response to predictive, evidence-based risk management.
How to comply
- 1.Identify and catalog all threats relevant to your environment (external, internal, accidental, deliberate).
- 2.Map known vulnerabilities to assets and systems across your infrastructure.
- 3.Assign likelihood scores (probability of exploitation) based on threat intelligence and vulnerability severity.
- 4.Estimate impact values (business, financial, reputational, regulatory) for each potential breach or failure.
- 5.Calculate risk scores using a consistent methodology (qualitative or quantitative).
- 6.Document risk determinations with supporting evidence and assumptions.
- 7.Review and update risk assessments at least annually or when material changes occur.
- 8.Communicate risk ratings to relevant stakeholders and use results to drive remediation priorities.
Evidence auditors look for
- Risk assessment reports showing threat-vulnerability mappings with likelihood and impact ratings.
- Risk register or matrix documenting all identified risks, scores, and mitigation status.
- Threat modeling documentation for critical systems and applications.
- Vulnerability scan results cross-referenced with threat landscape analysis.
- Risk scoring methodology documentation (CVSS, FAIR, custom frameworks).
- Board or management meeting minutes discussing risk determination outcomes and budget allocation.
- Audit trails showing when assessments were performed, by whom, and evidence reviewed.
- Risk acceptance or remediation decisions with documented business justification.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
See how GRCWatch handles this control automatically.
See how GRCWatch handles this control automatically
Start free trial