In a recent Tandem "Ask Me Anything" webinar, one of the attendees asked, "What is the difference between an Information Security Risk Assessment (ISRA) and the Cybersecurity Assessment Tool (CAT)?" We receive this question occasionally, usually followed by: "Can I just complete the CAT?"

While these are two methods of assessing risk and improving the organization's security, the origins, intentions, and outputs of each of these assessments are unique and designed to serve different purposes. In this article, we'll look at both the similarities and differences between the ISRA and the CAT and explain how they can best be used in harmony with each other.

About Information Security Risk Assessments (ISRA)

An ISRA is the foundation of an information security program. The purpose of the assessment is to help the organization identify, measure, and control risks facing information and information systems.

Part of the reason financial institutions perform ISRAs is because it is required. The requirement stems from the Gramm-Leach-Bliley Act (GLBA) and the resulting Interagency Guidelines Establishing Information Security Standards, which expect financial institutions to do the following:

  1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.
  2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.
  3. Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.

To learn more about how to conduct an ISRA, check out our blog: What is a GLBA Risk Assessment?

About the Cybersecurity Assessment Tool (CAT)

The CAT is an assessment tool, designed to help financial institutions "identify their risks and determine their cybersecurity preparedness." The CAT helps assess the maturity of an institution's cyber controls across five domains relative to the amount of risk carried by the institution's activities and environment.

According to the FFIEC, the CAT is "intended to complement, not replace, an institution's risk management process and cybersecurity program."

To learn more about the CAT, visit our blog: FFIEC Cybersecurity Assessment Tool: A New CAT.

The Similarities

There are some commonalities the ISRA and the CAT share. For example, both assessments can be used to determine things like technology risk factors, implemented controls, and ongoing improvement plans. Additionally, both assessments should be reported to the Board of Directors and senior management and updated on a regular basis. (Speaking of, if you've ever wondered how often you should update the CAT, you can read our full answer here.)

That said, this is about where the similarities begin and end. In other words, the ISRA and CAT have about as much in common as any two types of technical assessments. For example, you could substitute an audit risk assessment or even the NIST Cybersecurity Framework, and you'd still have the same list of similarities.

What this means is the ISRA and the CAT are not the same. They are not interchangeable, and they each bring distinct benefits to the table. As such, it is important to understand and be able to explain what the differences are between the two types of assessments.

The Differences

There are several differences between an ISRA and the CAT, such as the following.





A decision-making process

A fillable framework


Protecting customer information

Measuring cybersecurity preparedness


Internal and External Threats     

Cybersecurity Controls

Legally Required



Prescribed Format



Reviewed in Exams





No, the CAT contains 39 inherent risk and 494 maturity statements and is intended to be used on an enterprise-wide basis

Communicates to the Board

If customer information is adequately protected

If control maturity is appropriate in relation to risk

Dependent on External Sources


Yes, the FFIEC is responsible for maintenance of the CAT


In Summary

The ISRA and CAT are complimentary. While both exist to inform an organization about risks and controls, at the end of the day, the two exist for separate purposes and provide different insights into the organization's security environment.

For assistance with conducting an ISRA or to request access to a free online version of the FFIEC's CAT, check out Tandem. Tandem is a cybersecurity governance, risk management, and compliance (GRC) application, designed specifically to help financial institutions identify, measure, and control the risks facing their business.

Each of our products includes a friendly user interface, multi-user access, helpful notifications, and ready-to-use documents for you to share with your Board of Directors and senior management. Learn more about how we can help you with Tandem Risk Assessment and Tandem Cybersecurity.