1. Introduction: The CRI Profile as the Financial Sector's Cybersecurity Rosetta Stone
The Cyber Risk Institute (CRI) Profile, formerly known as the Financial Services Sector Cybersecurity Profile (FSSCP), is a benchmark cybersecurity and resilience framework purpose-built for financial institutions. It was created to solve a very specific pain that CISOs and boards in banking, insurance, asset management and financial market infrastructure feel acutely: regulatory fragmentation. A single global bank may be subject to dozens of overlapping supervisory expectations across jurisdictions, each phrasing broadly similar controls in incompatible language and demanding separate attestations. The CRI Profile harmonises these into a single, extensible questionnaire of diagnostic statements that map back to more than 3,000 individual regulatory provisions and standards worldwide.
For an auditor, the Profile is a structured assessment instrument: each diagnostic statement is a testable assertion of control existence and effectiveness, backed by an explicit mapping to authoritative sources (NIST CSF, ISO 27001, FFIEC, CPMI-IOSCO, G7 Fundamental Elements, GDPR, and many national regulations). For an implementer or CISO, it is a rationalised control catalogue that lets a firm 'answer once, comply many' — completing the Profile once and reusing the answers to demonstrate compliance across multiple examinations. This guide walks both audiences through what the Profile is, how it is structured, and — most importantly — provides a master assessment checklist that enumerates every function and category so nothing is skipped.
2. What is the CRI Profile
The CRI Profile is a cybersecurity risk-management and resilience assessment framework that expresses cybersecurity expectations as a set of diagnostic statements grouped into functions and categories. It began life in 2018 as an initiative of the Financial Services Sector Coordinating Council (FSSCC) and was subsequently stewarded by the Cyber Risk Institute, which released the Profile as an evolving standard. Version 1.x aligned to the NIST Cybersecurity Framework v1.1 five-function model (Identify, Protect, Detect, Respond, Recover) plus two additional financial-sector functions: Govern and Supply Chain / Dependency Management.
CRI Profile v2.0, released to align with NIST Cybersecurity Framework 2.0, reorganised the content around a seven-function model that elevates Governance to a first-class function (mirroring NIST CSF 2.0's new GOVERN function) and retains an explicit Extend / third-party-dependency function that the generic NIST CSF does not carry in the same depth. The Profile is deliberately 'impact-tiered': the number and stringency of diagnostic statements a firm must satisfy scales with its size, complexity and systemic importance, so a community bank and a global systemically important bank (G-SIB) do not answer an identical question set.
- Not a certification scheme — there is no CRI-issued pass/fail certificate; the Profile is a self-assessment and third-party-assessment instrument whose output is a defensible evidence package.
- Regulator-recognised — U.S. and international supervisors (including the FFIEC agencies, and via mappings the EU, UK PRA/FCA, MAS, HKMA and others) recognise Profile-based responses as a way to demonstrate control coverage.
- Extensible — CRI publishes 'extensions' that add mappings to new regulations (e.g., DORA, NYDFS 500, Cloud, AI) without rewriting the core.
- Free to eligible firms — distributed by CRI to promote sector-wide adoption rather than sold as a commercial standard.
- Machine-usable — delivered as a structured workbook so answers can be tracked, versioned and reused across examinations.
3. Who Must Comply / Scope of Applicability
The CRI Profile is voluntary in the sense that no single law says 'thou shalt use the CRI Profile'. However, the underlying regulatory provisions it maps ARE mandatory, and a large and growing set of financial-sector supervisors either accept, encourage or effectively expect Profile-based responses. In practice, any regulated financial entity that faces multiple cyber supervisors benefits from — and is increasingly asked to use — the Profile.
| Entity / Sector | Why the Profile applies | Typical tiering |
|---|---|---|
| Global systemically important banks (G-SIBs) and D-SIBs | Face concurrent supervision by home and host regulators; use the Profile to rationalise CPMI-IOSCO, FFIEC, PRA, ECB expectations | Full / most stringent diagnostic set |
| Regional and community banks | FFIEC CAT retirement drives migration to Profile; scaled impact tier reduces burden | Scaled / reduced diagnostic set |
| Financial market infrastructures (FMIs) — CCPs, CSDs, payment systems | Subject to CPMI-IOSCO Guidance on Cyber Resilience for FMIs, directly mapped in the Profile | Full, resilience-weighted |
| Insurance and reinsurance firms | NAIC Insurance Data Security Model Law, NYDFS 500 apply; Profile maps these obligations | Impact-tiered by size |
| Asset managers, broker-dealers, investment advisers | SEC cyber rules, FINRA expectations; Profile provides audit-ready coverage | Scaled by AUM / complexity |
| Fintechs and third-party service providers to banks | Bank clients cascade Profile expectations through the Extend function and vendor due diligence | Vendor-scoped subset |
| EU-regulated financial entities | DORA obligations mapped via the CRI DORA extension for cross-border firms | Full + DORA extension |
| Non-US firms (MAS, HKMA, RBI-regulated, ADGM/DIFC) | National cyber-resilience rules map to Profile functions; used for group-wide harmonisation | Jurisdiction-mapped subset |
Scope boundaries an assessor must fix first
- Legal entities and business lines in scope (group vs. subsidiary vs. branch).
- Systems supporting critical financial services and 'important business services' (aligned to operational-resilience rules).
- Data classes: customer NPI/PII, transaction records, market data, credentials.
- Third parties, nth-party dependencies and cloud service providers (the Extend function).
- Geographies and the regulators whose mapped provisions are 'switched on' for this assessment.
4. Structure of the CRI Profile
The Profile is organised hierarchically. At the top sit Functions (the seven high-level outcomes). Each Function contains Categories (outcome groupings). Each Category contains diagnostic statements — the atomic, testable requirements a firm answers. Diagnostic statements carry impact-tier applicability flags and an extensive set of mappings to external authorities. The table below sets out the v2.0 seven-function model with its approximate category coverage; treat category counts as indicative, since CRI revises them across releases.
| Function (v2.0) | Purpose / outcome | Representative categories |
|---|---|---|
| Govern (GV) | Establish, communicate and monitor the cyber risk-management strategy, roles, policy and oversight (board and executive accountability). | Organisational Context; Risk Management Strategy; Roles, Responsibilities & Authorities; Policy; Oversight; Cybersecurity Supply Chain Risk Management |
| Identify (ID) | Understand assets, business environment, risk and vulnerabilities to manage cyber risk to systems, people, data and capabilities. | Asset Management; Risk Assessment; Improvement; Business Environment |
| Protect (PR) | Implement safeguards to ensure delivery of critical services and limit or contain the impact of events. | Identity Management & Access Control; Awareness & Training; Data Security; Platform Security; Technology Infrastructure Resilience |
| Detect (DE) | Identify the occurrence of a cybersecurity event in a timely manner through monitoring and analysis. | Continuous Monitoring; Adverse Event Analysis |
| Respond (RS) | Take action regarding a detected incident to contain and mitigate impact. | Incident Management; Incident Analysis; Incident Response Reporting & Communication; Incident Mitigation |
| Recover (RC) | Restore assets and operations affected by an incident and support timely return to normal. | Incident Recovery Plan Execution; Incident Recovery Communication |
| Extend (EX) | Manage cyber risk arising from third-party, supply-chain and nth-party dependencies (financial-sector-specific). | Third-Party Connections; Dependency Management; Supply Chain Assurance; Concentration Risk |
5. Master Assessment Checklist — Every Function and Category
This is the core of the guide. Each h3 below covers one Function; the table under it enumerates its categories with what an assessor must verify and the evidence typically requested. Work through every table — do not skip any function or category. Diagnostic-statement identifiers follow the pattern Function.Category (e.g., GV.RM), with individual statements numbered within the category in the official workbook.
5.1 Govern (GV)
| What to verify | Typical evidence |
|---|---|
| GV.OC Organisational Context — the mission, stakeholders, legal/regulatory and contractual cyber requirements are understood and documented. | Enterprise risk taxonomy, regulatory obligations register, stakeholder/critical-service mapping, board charter. |
| GV.RM Risk Management Strategy — cyber risk appetite and tolerance statements are set, approved and used in decisions. | Board-approved risk appetite statement, risk tolerance thresholds, risk strategy document, appetite breach reports. |
| GV.RR Roles, Responsibilities & Authorities — cyber roles (CISO, three lines of defence) are defined, resourced and held accountable. | Org chart, RACI, CISO mandate, job descriptions, budget/headcount evidence, reporting lines to board. |
| GV.PO Policy — cybersecurity policy is established, approved, communicated and reviewed on a defined cycle. | Policy suite with version history, approval records, annual review minutes, exception process. |
| GV.OV Oversight — results of risk management are reviewed to inform and adjust strategy (board/committee oversight). | Board/risk-committee minutes, cyber KRIs/KPIs dashboards, independent assurance reports, metrics trend packs. |
| GV.SC Cybersecurity Supply-Chain Risk Management — supply-chain cyber programme is established and integrated with ERM. | C-SCRM policy, supplier risk-tiering, contract clauses, supplier assurance schedule, concentration analysis. |
5.2 Identify (ID)
| What to verify | Typical evidence |
|---|---|
| ID.AM Asset Management — hardware, software, data, systems, services and personnel are inventoried and classified by criticality. | CMDB/asset inventory exports, data classification register, criticality ratings, software bill of materials (SBOM). |
| ID.RA Risk Assessment — threats, vulnerabilities and likelihood/impact are assessed and prioritised, including threat intelligence. | Risk assessment reports, vulnerability scan results, threat-intel subscriptions, risk register with treatment plans. |
| ID.IM Improvement — improvements are identified from assessments, tests, incidents and exercises and tracked to closure. | Lessons-learned logs, post-incident reviews, exercise reports, remediation tracker, continuous-improvement backlog. |
| ID.BE Business Environment — the firm's role in the sector, critical services and dependencies are understood. | Important-business-service catalogue, dependency maps, impact tolerance statements, sector-role analysis. |
5.3 Protect (PR)
| What to verify | Typical evidence |
|---|---|
| PR.AA Identity Management, Authentication & Access Control — identities are managed and access is least-privilege with strong authentication (MFA). | IAM policy, MFA enforcement config, joiner-mover-leaver records, privileged-access-management logs, access recertification. |
| PR.AT Awareness & Training — personnel receive role-based security and phishing awareness training. | Training completion reports, phishing-simulation results, role-based curricula, awareness campaign records. |
| PR.DS Data Security — data is protected in transit, at rest and in use per its classification (encryption, DLP, key management). | Encryption standards, key-management records, DLP policy and alerts, tokenisation/masking evidence. |
| PR.PS Platform Security — hardware/software/firmware is configured securely, patched and hardened. | Baseline configuration standards, patch-management SLAs and reports, hardening benchmarks (CIS), change records. |
| PR.IR Technology Infrastructure Resilience — resilient architecture, segmentation and capacity protect availability and integrity. | Network segmentation diagrams, redundancy/DR architecture, backup policy, capacity plans, resilience testing. |
5.4 Detect (DE)
| What to verify | Typical evidence |
|---|---|
| DE.CM Continuous Monitoring — networks, systems, personnel activity and external service providers are monitored to find anomalies. | SIEM/EDR coverage matrix, log-source inventory, monitoring use-cases, alerting thresholds, coverage reports. |
| DE.AE Adverse Event Analysis — anomalies and events are analysed, correlated and escalated to characterise incidents. | Alert triage runbooks, correlation rules, incident-declaration criteria, SOC shift handover logs. |
5.5 Respond (RS)
| What to verify | Typical evidence |
|---|---|
| RS.MA Incident Management — the incident-response plan is executed on detection, with defined roles and severity tiers. | IR plan, severity matrix, on-call roster, incident tickets showing plan invocation. |
| RS.AN Incident Analysis — investigations, forensics and root-cause analysis determine scope and impact. | Forensic reports, chain-of-custody records, root-cause analyses, indicator-of-compromise catalogues. |
| RS.CO Incident Response Reporting & Communication — internal and external stakeholders and regulators are notified per obligations. | Regulatory-notification templates, contact trees, breach-notification logs, regulator submission evidence. |
| RS.MI Incident Mitigation — incidents are contained and eradicated to limit spread and impact. | Containment runbooks, isolation records, eradication evidence, mitigation status logs. |
5.6 Recover (RC)
| What to verify | Typical evidence |
|---|---|
| RC.RP Incident Recovery Plan Execution — recovery plans restore systems and data to a known-good state within objectives. | Recovery runbooks, RTO/RPO targets, backup-restore test results, integrity-validation records. |
| RC.CO Incident Recovery Communication — recovery activities and status are communicated to internal and external stakeholders. | Stakeholder comms logs, customer/regulator status updates, reputation-management records, all-clear notifications. |
5.7 Extend (EX) — Third-Party and Dependency Management
| What to verify | Typical evidence |
|---|---|
| EX.TP Third-Party Connections — connections to and from third parties are inventoried, authorised and secured. | Third-party connection inventory, interconnection security agreements, API access controls, monitoring of B2B links. |
| EX.DM Dependency Management — critical third-party and nth-party dependencies are identified, risk-tiered and monitored. | Dependency register, nth-party mapping, criticality tiering, continuous-monitoring/ratings feeds. |
| EX.SC Supply Chain Assurance — suppliers are assessed pre-engagement and periodically against security requirements. | Vendor due-diligence questionnaires, SOC 2 / ISO 27001 reports, right-to-audit exercise records, contract security schedules. |
| EX.CR Concentration Risk — concentration in critical providers (e.g., a single cloud/CSP) is measured and mitigated. | Concentration analysis, exit/substitutability plans, cloud multi-region strategy, systemic-provider register. |
6. Scoping, Materiality and Impact Tiering
A defining feature of the CRI Profile is impact tiering: rather than imposing every diagnostic statement on every firm, the Profile flags which statements apply based on the institution's national and global systemic footprint. This lets a small institution answer a proportionate subset while a G-SIB answers the full set. The tiering is derived from an impact-tier questionnaire the firm completes before assessment.
| Impact tier | Illustrative institution profile | Diagnostic-statement burden |
|---|---|---|
| Tier 1 (highest impact) | Global systemically important institutions; critical FMIs; national payment systems | Full diagnostic set, resilience-weighted, most stringent |
| Tier 2 | Large national banks / D-SIBs, large insurers, major broker-dealers | Broad set; most statements applicable |
| Tier 3 | Regional / mid-size institutions, mid-market asset managers | Scaled set; higher-order statements may be reduced |
| Tier 4 (lowest impact) | Community banks, credit unions, small fintechs | Core essential statements; proportionate subset |
Materiality also governs which mapped regulations are 'switched on'. A firm operating only in the US does not need the DORA extension activated; a firm with an EU entity does. The assessor should confirm the impact-tier determination and the enabled regulatory mappings at kickoff, because these two decisions define the entire scope of applicable diagnostic statements. Getting the tier wrong either over-burdens a small firm or, more dangerously, under-scopes a systemically important one.
- Complete the impact-tier questionnaire and obtain sign-off from the CISO and risk committee.
- Enumerate applicable jurisdictions and enable the corresponding regulatory mappings/extensions.
- Confirm important business services and impact tolerances (aligns with operational-resilience rules).
- Document scope exclusions with rationale and compensating rationale for any de-scoped diagnostic statements.
7. Implementation Approach (Phased)
A pragmatic CRI Profile programme runs in five phases. Each phase below lists activities and deliverables.
Phase 1 — Mobilise and Scope
- Activities: secure board/executive sponsorship; obtain the official CRI Profile workbook; complete the impact-tier questionnaire; enable relevant regulatory mappings; define legal entities, business lines and important business services in scope.
- Deliverables: programme charter, scope statement, impact-tier determination, enabled-mappings list, stakeholder RACI.
Phase 2 — Baseline Assessment (Current State)
- Activities: answer each applicable diagnostic statement with a maturity/implementation rating; collect current evidence; interview control owners across the three lines of defence.
- Deliverables: completed baseline workbook, evidence repository index, current-state maturity heatmap by function.
Phase 3 — Gap Analysis and Target State
- Activities: compare current state to target (tier-appropriate) state; identify gaps; assess risk of each gap against appetite; prioritise using impact and likelihood.
- Deliverables: gap register, prioritised remediation roadmap, target-state maturity profile, risk-accepted exceptions log.
Phase 4 — Remediation and Control Uplift
- Activities: execute remediation projects (IAM/MFA uplift, DLP, segmentation, third-party assurance, IR playbooks); update policies; embed controls in BAU.
- Deliverables: remediated controls with evidence, updated policy suite, control-operation runbooks, closed gap items.
Phase 5 — Assurance, Attestation and Continuous Improvement
- Activities: independent (internal audit or third-party) validation; produce regulator-facing response packages; schedule periodic reassessment; feed lessons learned back (ID.IM).
- Deliverables: assurance report, reusable regulatory attestation package, reassessment calendar, continuous-improvement backlog.
8. Maturity / Capability Tiering Model
While the Profile's diagnostic statements are primarily answered as implemented / not implemented with supporting rationale, mature programmes overlay a capability-maturity scale to communicate control effectiveness to the board and to drive uplift. The following five-level model is commonly used alongside the Profile.
| Level | Name | Characteristics | Evidence signature |
|---|---|---|---|
| 0 | Non-existent | Control absent; no policy or ownership. | No artefacts; gap in register. |
| 1 | Initial / Ad hoc | Control performed inconsistently and reactively; undocumented. | Anecdotal evidence, no defined process. |
| 2 | Repeatable | Documented process exists; applied by trained staff but not consistently measured. | Procedures, some records, informal reviews. |
| 3 | Defined | Standardised, documented and communicated organisation-wide; integrated with risk management. | Policy + procedure + consistent records, defined owners. |
| 4 | Managed | Control is measured with metrics/KRIs; deviations trigger action. | Metrics dashboards, thresholds, exception handling. |
| 5 | Optimised | Control continuously improved using automation, analytics and lessons learned. | Trend analysis, automation, benchmarking, improvement backlog closed. |
A tier-appropriate target is usually Level 3 (Defined) as a floor for all applicable statements, with Level 4 (Managed) expected for high-impact firms on critical functions such as Detect, Respond and Extend.
9. Assessment and Audit Approach
The following ordered steps describe how an independent assessor should conduct a CRI Profile assessment.
- Confirm engagement scope: Profile version, NIST CSF baseline, impact tier and enabled regulatory mappings.
- Request and index the evidence set against each applicable diagnostic statement (see section 10).
- Conduct control-owner interviews across the three lines of defence for each function (GV through EX).
- Test control design: does the documented control, if operating, satisfy the diagnostic statement?
- Test control operating effectiveness: sample records over the review period to confirm the control actually operated.
- Rate each diagnostic statement (implemented / partially / not implemented) with a maturity overlay and cite evidence.
- Aggregate findings by function and category; produce a maturity heatmap and gap register.
- Assess each gap against the firm's risk appetite and rate residual risk.
- Validate third-party and nth-party (Extend) coverage, including concentration risk and exit strategies.
- Draft findings, obtain management responses and remediation commitments with owners and dates.
- Issue the assessment report plus a reusable regulatory-response package mapped to applicable supervisors.
- Agree a reassessment cadence and continuous-monitoring metrics for interim assurance.
10. Evidence Request List
Evidence, categorised by function, that assessors typically request. Provide current, dated artefacts covering the review period.
Governance and strategy
- Board and risk-committee charters and minutes referencing cyber oversight.
- Cyber risk appetite and tolerance statements with approval evidence.
- Cybersecurity policy suite with version history and review records.
- CISO mandate, org chart, RACI and three-lines-of-defence definition.
Identify
- Asset inventory / CMDB exports and data classification register.
- Risk assessments, vulnerability scans and the risk register.
- Important-business-service catalogue and dependency maps.
- Improvement / lessons-learned tracker.
Protect
- IAM/PAM policies, MFA configuration and access-recertification records.
- Security awareness and phishing-simulation reports.
- Encryption and key-management standards; DLP configuration and alerts.
- Patch-management SLAs/reports and hardening baselines (CIS/vendor).
Detect and Respond
- SIEM/EDR coverage matrix and log-source inventory.
- Incident-response plan, severity matrix and sample incident tickets.
- Forensic and root-cause reports; regulatory-notification records.
- SOC monitoring use-cases and alerting thresholds.
Recover and Extend
- Backup/restore test results, RTO/RPO targets and DR exercise reports.
- Third-party inventory, due-diligence questionnaires and SOC 2/ISO 27001 assurance reports.
- Concentration-risk analysis and exit/substitutability plans.
- Recovery and stakeholder-communication logs.
11. Roles and Responsibilities
| Role | CRI Profile responsibility |
|---|---|
| Board of Directors | Approve cyber risk appetite; provide oversight; hold executives accountable (GV.OV). |
| CEO / Executive Committee | Own enterprise cyber risk; allocate resources; sponsor the Profile programme. |
| CISO | Own the Profile assessment, control design and remediation roadmap; report metrics to the board. |
| First line (business/IT owners) | Operate controls; provide evidence; remediate assigned gaps. |
| Second line (Risk & Compliance) | Set risk framework and appetite; challenge control adequacy; map regulatory obligations. |
| Third line (Internal Audit) | Independently validate Profile responses and control effectiveness. |
| Third-party / vendor management | Execute Extend-function due diligence, monitoring and concentration analysis. |
| External assessor / QSA / CERT-In auditor | Perform independent Profile assessment and produce attestation package. |
12. KPIs and Metrics to Track
- Percentage of applicable diagnostic statements fully implemented, by function.
- Maturity index (mean level 0-5) per function and overall trend over time.
- Mean time to detect (MTTD) and mean time to respond/recover (MTTR) for incidents.
- MFA coverage of privileged and remote accounts; percentage of accounts recertified on schedule.
- Critical/high vulnerability remediation SLA adherence and open-vulnerability ageing.
- Percentage of critical third parties assessed within cycle; nth-party mapping completeness.
- Concentration-risk exposure to top providers and exit-plan readiness for critical services.
- Backup-restore and DR test success rate against RTO/RPO objectives.
- Phishing-simulation click and report rates; training completion percentage.
- Number of open high-risk gaps against risk appetite and their ageing.
13. Readiness Checklist
- Official CRI Profile workbook obtained and correct version confirmed.
- Impact-tier questionnaire completed and signed off by risk committee.
- Applicable jurisdictions identified and regulatory mappings/extensions enabled.
- Board-approved cyber risk appetite and cybersecurity policy suite in place.
- Asset inventory and data classification current and complete.
- MFA enforced on privileged, remote and internet-facing access.
- Encryption, key management and DLP operating per data classification.
- Patch and vulnerability management meeting defined SLAs.
- SIEM/EDR monitoring covers all critical assets with tuned use-cases.
- Incident-response plan tested via exercise within the last 12 months.
- Regulatory breach-notification runbooks and contact trees current.
- Backups tested for restore and integrity against RTO/RPO targets.
- Critical third parties risk-tiered, assessed and continuously monitored.
- Concentration risk analysed with documented exit/substitutability plans.
- Evidence repository indexed against each applicable diagnostic statement.
- Independent (internal audit or third-party) validation scheduled.
14. Common Gaps and Findings
- Impact tier set too low, under-scoping applicable diagnostic statements for a systemically important firm.
- Extend function treated superficially — nth-party dependencies and concentration risk unmapped.
- Risk appetite defined but not operationalised; no linkage between appetite breaches and remediation.
- MFA gaps on legacy systems, service accounts or third-party B2B connections.
- Asset and data inventories incomplete, undermining every downstream control.
- Detection coverage gaps: critical assets or SaaS not fed to SIEM; use-cases untuned.
- Incident-response plans exist on paper but are untested; regulatory-notification timelines undefined.
- Backups not tested for restore/integrity, or recovery objectives (RTO/RPO) unvalidated.
- Evidence not indexed to diagnostic statements, forcing re-work at each regulatory examination.
- No continuous-monitoring metrics between annual assessments, leaving control drift undetected.
- Third-party assurance relies solely on attestations (SOC 2) without independent validation.
- Governance oversight lacks quantified KRIs, so board reporting is qualitative and non-actionable.
15. CRI Profile Mapped to Other Frameworks
The Profile's core value is its extensive mapping. The table shows how its functions relate to major frameworks and regulations that firms also face.
| CRI Profile function | NIST CSF 2.0 | ISO/IEC 27001:2022 | Related financial-sector regulation |
|---|---|---|---|
| Govern (GV) | GOVERN | Clauses 4-6, 9-10; A.5 Organisational | NYDFS 500 governance & CISO; DORA ICT risk-management framework; G7 Fundamental Elements |
| Identify (ID) | IDENTIFY | A.5.9 asset inventory; risk assessment (Clause 6) | FFIEC IT Handbook; CPMI-IOSCO identification; DORA Article 8 asset mapping |
| Protect (PR) | PROTECT | A.5.15-A.5.18 access; A.8 technological | GLBA Safeguards Rule; NYDFS 500 access/encryption; PCI DSS overlaps |
| Detect (DE) | DETECT | A.8.15-A.8.16 logging & monitoring | DORA detection; FFIEC monitoring; MAS TRM monitoring |
| Respond (RS) | RESPOND | A.5.24-A.5.28 incident management | NYDFS 72-hour notice; DORA major-incident reporting; SEC 4-business-day disclosure |
| Recover (RC) | RECOVER | A.5.29-A.5.30 continuity & ICT readiness | CPMI-IOSCO 2-hour resumption for FMIs; PRA/FCA operational resilience |
| Extend (EX) | GV.SC / ID.AM third-party | A.5.19-A.5.23 supplier relationships | DORA critical-ICT-third-party oversight; OCC/FRB third-party guidance; EBA outsourcing |
Because each diagnostic statement carries these mappings, a firm completing the Profile once can generate targeted response packages for a NYDFS examination, a DORA assessment, an FFIEC review or an ISO 27001 audit without re-answering the underlying questions — the 'answer once, comply many' promise.
16. How CyberSigma Helps
Frequently asked questions
Need help with CRI Profile?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
