The Risk Management Program (RMP) is program-level documentation that is an essential need for any organization to demonstrate HOW risk is actually managed within an organization. Most companies run into issues during audits when the actual practices for risk management are looked at. The RMP is meant to advance your organization to a mature level of risk management and have the documentation to prove it!
The Cybersecurity Risk Assessment Template (CRAT) supports the Risk Management Program (RMP), but it is a stand-alone product that consists of Microsoft Word and Excel templates that enable any organization to conduct repeatable and quality risk assessments. If you can use Microsoft Office products, then you can follow the guidance in the CRAT to create your own quality risk assessments. The Cybersecurity Risk Assessment Template (CRAT) addresses natural, man-made and cybersecurity risks to provide a robust risk assessment template. The cybersecurity controls used in the template are from NIST 800-171, which is based on leading NIST 800-53 and ISO 27002 controls.
Can You Honestly Answer HOW Risk Is Implemented At Your Organization?
When you "peel back the onion" and prepare for an audit, there is a need to address "the how" for certain topics, such as risk management. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW the policies and standards are actually implemented. We did the heavy lifting and created several program-level documents to address this need and the Risk Management Program (RMP) is one of those products.