homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Cybersecurity Regulations and Risk Assessment Requirements
370x370_James-Tarala.jpg
James Tarala

Cybersecurity Regulations and Risk Assessment Requirements

Free Tool for Regulatory Requirements for Risk Management

October 25, 2023

Introduction

At the time of this post, we have identified over 35 international cybersecurity standards that require organizations to utilize a cybersecurity risk management process as a part of their approach to defense. While many of these standards are unclear what they mean when they encourage risk management, it is becoming more common to see regulations requiring organizations to do so. The following cybersecurity standards all a few examples of standards that require organizations to integrate cybersecurity risk management into their overall cybersecurity program strategies:

  • Collective Controls Catalog (v2021, v2022, v2023)
  • NIST CyberSecurity Framework (v1.0, v1.1, v2.0)
  • ISO 27002:2005, 27002:2013, 27002:2022
  • NIST Special Publication 800-171
  • NIST Privacy Framework (v1.0)
  • French National Cybersecurity Agency (ANSSI v1 and v2)
  • Cybersecurity Maturity Model Certification (CMMC) - Level 2
  • Canadian Office of the Superintendent of Financial Institutions (OSFI) Technology and Cyber Risk Guideline
  • Cloud Security Alliance Cloud Control Matrix (CSA-CCM v3.0.1 and v4.0)
  • Directive (EU) 2022/2555 (NIS2)
  • Farm Credit Administration (FCA) Examination Manual (v2022)
  • HIPAA (v2013)
  • Internal Revenue Service (IRS) Publication 1075
  • New York Cyber Security Regulation (23 NYCRR 500)
  • Payment Card International (PCI) Data Security Standard (DSS) (v3.2.1 and v4.0)
  • US Securities and Exchange Commission (SEC) 2023 Cybersecurity Disclosure Rules (v2023)

In addition, there are numerous standards that require risk assessments to be performed against both the organization itself and each of an organization’s critical third-party business partners. The following are some of the more popular cybersecurity standards that also require an organization’s risk management program to include their third-party business partners:

  • Collective Controls Catalog (v2021, v2022, v2023)
  • NIST CyberSecurity Framework (v1.0, v1.1, v2.0)
  • CIS Controls (v8.0)
  • Cybersecurity Maturity Model Certification (CMMC) - Level 3
  • Cloud Security Alliance Cloud Control Matrix (CSA-CCM v3.0.1 and v4.0)
  • ISO 27002:2005, 27002:2013, 27002:2022
  • NIST Special Publication 800-172
  • Privacy Framework (v1.0)

Specific Examples of Risk Management Requirements

Part of the challenge organizations face when attempting to comply with these cybersecurity standards is understanding exactly what the requirements are asking an organization to accomplish. This becomes even more challenging when organizations are asked to perform a task whose definition is often cloudy. Cybersecurity professionals as a whole often struggle to provide a succinct definition for the word “risk,” therefore, it is not surprising that the authors of cybersecurity standards would have the same challenge. 

The following are specific examples of requirements from some of the cybersecurity standards listed earlier and the specific wording from the standard related to cybersecurity risk:

  • “Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.” – NIST SP 800-171 (3.11.1, rev 2)
  • “Independent review of information security.” – ISO27002:2022 (5.35)
  • “Compliance with policies, rules and standards for information security.” – ISO27002:2022 (5.36)
  • “Conduct independent audit and assurance assessments according to relevant standards at least annually.” – CSA-CCM (A&A-02, v4.0)
  • “Perform independent audit and assurance assessments according to risk-based plans and policies. – CSA-CCM (A&A-03, v4.0)
  • “Implement a risk-assessment process.” – PCI DSS (12.2, v3.2.1)
  • “Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations.” – NYDFS (v1, Section 500.09)

“The organisation should ensure a risk assessment is also carried out for the organisation, development environment, test environment, training environment.” –SCCA (2.3 (1b), v2023)

The most common requirement these cybersecurity standards ask organizations to implement is to regularly perform a cybersecurity risk assessment to validate the implementation of appropriate cybersecurity safeguards. In other words, organizations are being asked to regularly review their cybersecurity safeguards to ensure that appropriate defenses are in place to protect the confidentiality, integrity, and availability of the organization’s information systems.

Sample Free Risk Assessment Tool

For organizations looking to perform a comprehensive cybersecurity risk assessment in light of the requirements discussed earlier, an organization may consider different approaches and tools. When attempting to comply with these standards, an organization's main goal is to validate that they have implemented an appropriate set of cybersecurity safeguards. To accomplish this, an organization must first select the baseline of safeguards they want to compare themselves against. Once they have selected their baseline, they can determine which software tool will best meet their needs to record the results of their validation process.

Still today, Microsoft’s Excel tool is one of the most popular tools used by cybersecurity auditors and risk analysts to document the status of their organization’s cybersecurity safeguards. Other tools, such as Governance, Risk, and Compliance (GRC) engines, can also be used for this purpose. However, because of cost and complexity issues, Microsoft Excel is the tool of choice for most of these assessments.

The creators of the Collective Controls Catalog have also created a free cybersecurity risk assessment template that organizations can use to identify gaps in their cybersecurity programs. This template was created in Microsoft Excel and, therefore, is a familiar interface that organizations can use to document the status of their cybersecurity safeguards.

Organizations can download the latest version of this risk assessment template at:

https://www.auditscripts.com/free-resources/collective-risk-project/

Organizations can use this tool to record the status of each of their cybersecurity safeguards and create simple-to-use dashboards to report the status of those safeguards to leadership stakeholders.

Answering Cybersecurity Control Questions in the Template

In the Collective Controls Catalog Assessment Tool mentioned above, the idea is to answer a series of questions about the status of an organization’s cybersecurity safeguards. The Collective Controls Catalog defines forty cybersecurity domains, each with its own set of specific safeguards. During a risk assessment, the assessor should work their way through each domain and document each safeguard's status.

To begin, the assessor should navigate to the cybersecurity domain they are assessing by clicking on the corresponding tab at the bottom of the Microsoft Excel worksheet. For example, if the assessor wants to assess the topic of “Asset Inventory,” then they should click on that tab, and they will see a screen like the following:

From this tab, there are two questions the assessor must answer for each cybersecurity safeguard listed in the column on the left side of the worksheet. First, they should evaluate the state of the organization’s documented cybersecurity intentions (often referred to as cybersecurity policies). By clicking on the first field, the assessor will see a drop down box similar to the following:

The assessor should then choose the appropriate status option based on the state of the organization’s documented cybersecurity safeguards. The assessor should review the organization’s documentation and answer this question for every cybersecurity safeguard and every domain noted in the workbook.

Next, the assessor should similarly report the status of the implementation of each cybersecurity safeguard. When the assessor clicks on the next box, they will see a drop-down list with options like the following:

The assessor should then review the implementation status of each of the organization’s cybersecurity safeguards and report the status using this field in the worksheet. Via interviews and direct observation of safeguards, the assessor should work with the organization to honestly report the status of each safeguard until the entire list of safeguards has been evaluated.

Analyzing the Results on the Template Dashboards

When an assessor has finished documenting the status of each of the organization’s cybersecurity safeguards, the risk assessment template will automatically analyze the data inputted into the tool to give the assessor specific feedback on the status of the organization’s safeguards. To view the aggregated results, the assessor should click on one of the dashboard tabs listed at the beginning of the Microsoft Excel workbook.

On the first page of the workbook, the template will report an overall maturity score for the organization in addition to domain-centric scores for each of the forty domains listed in the Collective Controls Catalog. First, the assessor will see an aggregate maturity score for the organization, that appears as follows:

Next, the assessor will see graphs representing the aggregate scores for governance-related domains defined in the Collective Controls Catalog in a graph like the following:

Also, the first page of the workbook will report the aggregate status of technical domains defined in the Collective Controls Catalog in a graph like the following:

This tool will report on the status of cybersecurity safeguards based on the domains defined in the Collective Controls Catalog. In addition, it also has built-in dashboards for reporting safeguards against other popular cybersecurity standards, such as the NIST CyberSecurity Framework (CSF), ISO27002, and CIS Controls.

Concluding Thoughts

In conclusion, we trust that the risk assessment template shared in this post will be valuable in your cybersecurity toolkit and help you and your organization achieve the risk management requirements defined by many of the recent cybersecurity standards. In addition, the template illustrated above was designed to streamline the safeguard validation process and help organizations identify gaps in their defenses. We encourage you to customize this template to suit your specific needs and make cybersecurity risk assessment a regular, integral part of your organizational strategy to secure your information systems and help your organization achieve its mission.

In addition, if you would like to learn more about how to perform cybersecurity risk assessments practically, you may also want to consider the SANS course, LDR419: Performing A Cybersecurity Risk Assessment.

About the Author

James Tarala is a principal consultant with Enclave Security based out of Venice, Florida, and a SANS Senior Instructor. As a consultant, he has spent the past several years designing large enterprise security and infrastructure architectures, helping organizations to perform security assessments, and communicating enterprise risk to senior leadership teams. He is the author of the brand new LDR419: Performing a Cybersecurity Risk Assessment, as well a number of previous SANS courses. Learn more about James Tarala.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • SEC401: Security Essentials - Network, Endpoint, and Cloud™
  • LDR419: Performing A Cybersecurity Risk Assessment
  • ICS410: ICS/SCADA Security Essentials™

Tags:
  • Cybersecurity Leadership

Related Content

Blog
emerging threats summit 340x340.png
Digital Forensics, Incident Response & Threat Hunting, Offensive Operations, Pen Testing, and Red Teaming, Cyber Defense, Industrial Control Systems Security, Cybersecurity Leadership
May 14, 2025
Visual Summary of SANS Emerging Threats Summit 2025
Check out these graphic recordings created in real-time throughout the event for SANS Emerging Threats Summit 2025
No Headshot Available
Alison Kim
read more
Blog
LDR - Blog - It’s Dangerous to Go Alone- A Consensus-Driven Approach to SOC Metrics_340 x 340.jpg
Cybersecurity Leadership
April 25, 2025
It’s Dangerous to Go Alone: A Consensus-Driven Approach to SOC Metrics
Metrics play a crucial role in understanding the performance of Security Operations Center (SOC) functions.
Mark-Orlando-370x370.jpg
Mark Orlando
read more
Blog
CurriculumTile_340_x_340.png
Cybersecurity Leadership
March 1, 2024
SANS Cybersecurity Leadership Curriculum
Developing World Class Cybersecurity Leaders
MGT_Triad_370x370_Headshot.jpg
SANS Cybersecurity Leadership
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn