Home Compliance & Certification Risk Management Framework Guide

Risk Management Framework Guide

Last updated on Sep 25, 2025

1. Purpose of this Guide

This artefact proves your company has a structured method to assess risks, especially when dealing with EOS (End-of-Support) assets. Cyber Essentials requires this because old software/hardware without vendor patches is a juicy target for attackers. A Risk Management Framework (RMF) shows you’ve thought through those risks and decided on safeguards or mitigations.

2. What You Will Submit

You will need:

  • documented Risk Management Framework (based on StrongKeep’s template or your own).

  • It should include:

    • Identification of risks (technical, operational, compliance).

    • Assessment of likelihood and impact.

    • Risk treatment options (accept, mitigate, transfer, retire).

    • Monitoring and review cycle.

    • Specific section for End-of-Support assets and how they are managed.

3. How to Collect / Obtain / Generate This Evidence

For StrongKeep Customers (recommended):

  1. Log into StrongKeep Dashboard → Evidence Library → Templates.

  2. Download the Risk Management Framework Template.

  3. Fill in:

    • Company name and date.

    • Known EOS assets (old Windows servers, routers, apps).

    • Risks identified (e.g., unpatched vulnerabilities, data leaks).

    • Mitigations (e.g., network isolation, compensating controls, plan to retire).

  4. Save as PDF/DOCX.

If creating your own RMF:

  1. Base it on NIST or ISO 27005 risk management structures.

  2. Include:

    • Risk Register: list of identified risks.

    • Scoring Matrix: impact × likelihood.

    • Treatment Plan: actions, owner, timeline.

  3. Review and approve by management.

  4. Export as PDF.

4. Evidence Format

  • Accepted file types: DOCX, PDF, XLSX (if risk register is in spreadsheet).

  • Suggested naming format:
    YourCompanyName_RiskManagementFramework_YYYY-MM-DD.pdf
    Example: AcmeCorp_RiskManagementFramework_2025-07-01.pdf

5. What “Good” Looks Like

  • Framework clearly documents process + responsibilities.

  • Risks are scored, prioritised, and assigned to owners.

  • EOS assets explicitly considered with mitigation actions.

  • Shows review cycle (e.g., quarterly).

Why it matters: auditors want evidence you’re not blindly using outdated kit but making informed, risk-based decisions.

6. Tips

  • Keep the framework simple but structured — one doc with a clear matrix.

  • Link it to your Risk Register Form (another artefact) for full coverage.

  • Update whenever new assets are added or old ones retired.