cc9-1 High priority Security / Risk Mitigation

Risk mitigation strategies are identified and implemented

Identifying risks through the risk assessment process (CC3) is only half the work. This criterion requires that risks are actively addressed: mitigation controls are selected and implemented, residual risk is accepted at an appropriate level, and the overall risk posture is actively managed rather than passively observed.

10h estimated effort

risk-management risk-treatment risk-mitigation risk-register

Complete first: cc3-2

Implementation steps

1

Develop a risk treatment plan for identified risks

For each risk identified in your risk assessment, document a treatment decision: mitigate (implement controls), transfer (insurance or contract), accept (documented acceptance with rationale), or avoid (change the activity creating the risk). For risks being mitigated, identify the specific controls that address them and assign owners and timelines.

notion confluence google-sheets jira
2

Implement and track mitigation controls

Implement the controls identified in the risk treatment plan. Track implementation progress in your risk register or project tracking tool. When controls are implemented, update the residual risk rating to reflect the reduced exposure. Controls with no owner or no timeline are unlikely to be implemented.

jira linear notion vanta drata
3

Review risk treatment decisions periodically

Risk treatment decisions made 12 months ago may no longer be appropriate. Review your risk register and treatment decisions at least annually. Risks that were accepted may need to be re-evaluated if the threat landscape has changed or the organization's risk tolerance has shifted.

notion confluence google-sheets