Risk Analysis and Prioritisation (SP 800-30r1)

  • Use CVSS (v3.1) scores, exploitability, business impact, and threat intelligence to prioritise.

  • Integrate with a Risk Register (mapped to FCA expectations).

  • High-risk vulnerabilities: mitigation initiated within 24–72 hours.

References:

SP 800-30r1 https://csrc.nist.gov/pubs/sp/800/30/r1/final

CVSS (v3.1) https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Financial Conduct Authority handbook on risk control https://www.handbook.fca.org.uk/handbook/SYSC/7/1.html

PreviousVulnerability Detection and Assessment (SP 800-40r4 / SP 800-53 RA-5)NextPatch and Remediation Management (SP 800-40r4)

Last updated