Using the CRI Profile: Complete Guide for Banks and Credit Unions

As the FFIEC CAT phases out, financial institutions are shifting to more modern cybersecurity frameworks, particularly the CRI Profile. Developed by the Cyber Risk Institute with input from regulators and industry leaders, the Profile provides a unified structure for managing cybersecurity compliance. It aligns directly with supervisory expectations and helps banks, credit unions, and service providers streamline assessments, reduce redundancy, and maintain clarity across internal teams and third-party relationships.

The CRI Profile is built on established, widely adopted standards rather than starting from scratch. Its structure draws from the NIST Cybersecurity Framework (CSF), ISO/IEC 27001/2 controls, CPMI-IOSCO principles, and the FFIEC Cybersecurity Assessment Tool (CAT), among others. This ensures alignment with both global cybersecurity standards and sector-specific supervisory expectations.

The same approach shaped the Profile’s 318 diagnostic statements and its impact tiering methodology, which is based on existing criteria for financial sector criticality. Where clear, non-redundant supervisory language already existed, it was incorporated directly. In cases of overlap or duplication, the Profile uses the simplest and most widely accepted phrasing to streamline the assessment process.

In this guide, you’ll learn what the CRI Profile is, how it’s structured, and how to use it effectively. That includes determining your institution’s impact tier, completing the CRI Profile assessment, and aligning with global cybersecurity standards. You’ll also see how the Profile supports efforts to streamline audits, reduce compliance overhead, and improve coordination across cybersecurity, compliance, audit, and vendor risk functions.

Let’s dive in!

What is the CRI Profile?

According to the Cyber Risk Institute, “The CRI Profile is a cybersecurity framework developed by and for the financial sector based on globally recognized standards. It connects the dots between cyber best practices and expectations from all over the world.”

In practice, the Profile is a structured assessment and risk management tool designed for how financial institutions operate. Built through public-private collaboration, it helps banks, credit unions, and service providers manage cyber risk, meet regulatory expectations, and strengthen operational resilience.

The Profile condenses more than 2,500 global financial regulations, supervisory guidelines, and cybersecurity standards into 318 diagnostic statements. These draw from sources such as the NIST Cybersecurity Framework, ISO/IEC 27001/2, and the FFIEC Cybersecurity Assessment Tool. The result is a guided self-assessment process that helps institutions evaluate cybersecurity controls, third-party risks, and alignment with regulatory expectations.

The CRI Profile supports a wide range of use cases, including internal assessments, vendor risk reviews, and supervisory conversations. It is regularly updated to reflect changes in laws and expectations, offering a consistent and scalable approach to cybersecurity and compliance across the financial sector.

“The CRI Profile is a cybersecurity framework developed by and for the financial sector based on globally recognized standards. It connects the dots between cyber best practices and expectations from all over the world.”

Why is the CRI Profile Important for Financial Institutions?

Cybersecurity in the financial sector is not just technical. It is regulatory, operational, and reputational. The CRI Profile matters because it was purpose-built for this environment. Developed with input from over 300 financial professionals across banks, credit unions, insurers, and regulatory bodies, the Profile reflects how institutions actually manage cyber risk in practice.

Its structure supports organizations at every level, from cybersecurity teams to boards and examiners. It brings plain language to complex requirements, connects risk management with executive oversight, and improves how institutions prioritize and allocate resources. For teams managing vendor risk, audit preparation, or regulatory exams, the Profile simplifies collaboration and creates consistency across roles and functions.

It also enhances how regulators supervise cybersecurity. The shared structure allows for more focused examinations, reduces redundant requests, and improves visibility into risks across institutions and sectors. The result is a more efficient, predictable, and scalable approach to managing cyber risk in financial services.

In short, the CRI Profile helps financial institutions:

• Operate from a shared cybersecurity framework built for the financial sector
• Improve coordination across internal teams, vendors, and regulators
• Strengthen executive and board-level visibility into cybersecurity priorities
• Streamline exam preparation and reduce duplicate compliance efforts
• Focus resources on high-impact risks and security controls

The Profile improves regulator oversight by aligning expectations across institutions. Examiners can conduct more focused reviews, reduce duplicate requests, and gain better visibility into sector-wide cyber risks.

What Does the CRI Profile Consist of?

The CRI Profile is a structured cybersecurity and resilience framework that includes 318 diagnostic statements, each designed to assess the presence, maturity, and effectiveness of specific controls within a financial institution. These statements are organized around seven core Functions, which collectively represent the operational and regulatory domains relevant to cybersecurity in the financial sector:

• Govern: Organizational oversight, policy development, governance structure, and risk management strategy
• Identify: Risk assessments, asset management, and visibility into internal and external threats
• Protect: Access control, encryption standards, secure configurations, data protection, and endpoint security
• Detect: Threat detection, monitoring systems, and anomaly identification
• Respond: Incident response plans, communications protocols, and forensic readiness
• Recover: Business continuity, disaster recovery planning, and restoration processes
• Extend: Third-party oversight, contract management, supply chain risk, and vendor control assessments

Each function is further divided into Categories and Subcategories, creating a hierarchy that supports detailed, risk-aligned evaluation. The diagnostic statements are mapped to impact tiers, with Tier 1 institutions (those most critical to the financial system) expected to respond to all 318 statements. Smaller institutions in Tiers 2 through 4 complete a reduced number based on their systemic importance.

Version 2.0 of the Profile also includes several technical enhancements:

• Subject tagging for over 100 topics such as encryption, asset lifecycle management, secure SDLC, and insider threat
• Simplified response fields that guide users in documenting control status, rationale, and supporting evidence
• Response summaries that visualize assessment results by Function, Category, and Subcategory
• Mappings to global regulatory frameworks, including FFIEC handbooks, GLBA Safeguards Rule, MAS TRM, and NIST CSF 2.0

Institutions use the Profile alongside the official Guidebook, which provides interpretive guidance for each diagnostic statement, examples of effective evidence, and recommendations for examiner engagement. This structure supports a range of use cases including internal assessments, regulatory reviews, third-party oversight, and crosswalks with existing compliance frameworks.

How to Use the CRI Profile Per the Official Profile Guidebook

Determine Your Impact Tier

Before starting the assessment, each institution must define its Impact Tier. This tier determines which diagnostic statements apply to your organization and ensures that the level of cybersecurity rigor scales appropriately with your systemic importance.

Why It Matters:

• Tailored workload: Higher-tier institutions complete more diagnostic statements. Tier 1 completes all 318, while Tier 4 addresses a reduced set (208).
• Regulatory alignment: Examiners expect different levels of preparedness based on your tier. This helps them focus reviews and tailor oversight.
• Risk-based resource use: Smaller institutions avoid over-scoping, while larger ones address a broader range of controls and threats.

How to Use It:

1. Complete the Impact Tiering Questionnaire:
   The Profile Guidebook includes a 9-question form that evaluates your institution’s criticality based on:
   • Size and scope of operations
   • Number of customers or accounts served
   • Role in sector-wide financial stability
   • Reliance on and exposure to third-party services
   • Cross-border operations and systemic dependencies
2. Score the Questionnaire:
   Your answers will place your organization into one of four tiers:
   • Tier 1: Systemically important financial institutions (national/global impact)
   • Tier 2: Large institutions with significant regional or subnational presence
   • Tier 3: Sector-critical service providers or infrastructure nodes
   • Tier 4: Local or smaller institutions, often serving fewer than one million customers
3. Apply Your Tier to the Profile Workbook:
   Once your tier is established, use it to filter which diagnostic statements your team must assess. This scoped view ensures you’re focusing effort where it matters, based on your institutional role and regulatory expectations.

Conduct the Diagnostic Assessment

The diagnostic assessment, also known as a self-assessment or IT security risk assessment, is the core of how institutions use the CRI Profile. It involves a structured, control-by-control evaluation of your cybersecurity, resilience, and compliance practices based on the diagnostic statements assigned to your Impact Tier.

For each statement, teams select one of the following response options:

• Yes – The control is fully implemented
• No – The control is not implemented
• Partial – The control is partially implemented
• Not Applicable – The control is not relevant based on scope
• Yes – Risk Based – The control is implemented based on a defined risk decision
• Yes – Compensating Control – A different but equivalent control is in place
• Not Tested – The control is believed to be in place but has not been verified
• I Don’t Know – The control status is unclear and requires further investigation
• To Be Assessed – The control has not yet been reviewed

Each response must reflect actual implementation and be backed by evidence. This might include policy documents, audit findings, control test results, logs from monitoring systems, vendor assessments, or risk registers. The goal is to provide a defensible and consistent view of how your institution meets specific cybersecurity expectations.

This process requires collaboration across cybersecurity, risk, compliance, audit, and business units. Institutions must coordinate input, track ownership, and ensure evidence is current and accessible. Attempting to manage hundreds of statements manually through spreadsheets or email quickly becomes unsustainable.

Simplify information security risk management

Centralize and manage your ISRM program with ease

Meet security requirements more efficiently with Isora, the GRC Assessment Platform powered by collaboration.

Learn More

Analyze and Remediate Gaps

After completing the diagnostic assessment, the next step is to review the results and address any control gaps. This is where teams move from assessment to action by connecting findings to your institution’s risk management processes.

Review Assessment Results

Use the Profile’s summary tools to analyze responses across all functions and categories. Focus on any statements marked as Partial, Not Tested, To Be Assessed, or I Don’t Know. These typically indicate missing controls, unclear responsibilities, or incomplete implementation.

Prioritize Based on Risk

Not every gap carries the same weight. Map each issue to your risk management framework and prioritize based on potential impact, likelihood, and relevance to regulatory expectations. Controls that relate to core services, sensitive data, or third-party exposure should rise to the top of your remediation plan.

Track Unresolved Risks

Gaps that cannot be addressed immediately should be recorded as part of your formal risk process. This includes:

• Logging a risk exception or acceptance decision
• Assigning ownership and review dates
• Describing mitigation steps and rationale

Use a centralized IT security risk register to ensure these items are not lost. A well-maintained register helps leadership track progress, supports internal audits, and shows regulators that your institution is actively managing open risks.

Validate and Close

Remediation should not stop at documentation. Whether you update a process, implement a new tool, or retrain staff, the change should be validated with evidence. Close the loop by confirming that the control now meets the expectations outlined in the diagnostic statement.

Streamline Implementation with Tools and Automation

Managing over 200 diagnostic statements manually is not only inefficient, it also increases the likelihood of missed deadlines, inconsistent documentation, and disconnected remediation efforts. The CRI Profile Guidebook recommends several ways to streamline the assessment process across teams and business units.

To support efficient implementation:

• Use secure platforms to manage assessment workflows, evidence collection, and framework crosswalks
• Establish consistent review processes across cybersecurity, compliance, audit, legal, and business functions
• Automate recurring tasks such as control retesting, documentation updates, and remediation tracking
• Integrate dashboards and reporting tools to support executive visibility and regulatory oversight

Without the right tooling, institutions risk spending too much time coordinating basic tasks instead of improving controls. Spreadsheets and manual tracking do not scale when assessments become recurring, cross-functional, or subject to examiner review.

Outcomes for Information Security Teams

Using the CRI Profile helps banks and credit unions improve their cybersecurity and compliance efforts. Key benefits include:

• Align cybersecurity programs with the NIST Cybersecurity Framework and financial regulations.
• Simplify assessments by using one set of controls across multiple frameworks.
• Show strong risk management and ownership to regulatory bodies and examiners.
• Build a repeatable, business-focused information security risk management program that supports growth.
• Improve third-party risk management for banks to secure the supply chain.
• Protect financial information and sensitive data effectively.
• Enhance readiness for audits and reduce compliance workload.
• Support ongoing improvement in cyber risk and security for financial institutions.

This approach helps financial institutions better manage risks through structured IT security risk assessment processes, stay compliant, and protect the overall financial system and consumer protection.

How Isora GRC Supports CRI Profile Execution

Isora GRC helps financial institutions manage the full lifecycle of the CRI Profile by turning complex assessment and risk processes into structured, collaborative workflows. Built specifically for cybersecurity and compliance teams, Isora supports CRI Profile execution across internal teams, third-party vendors, and regulatory needs.

Here is how Isora enables efficient, scalable CRI Profile management:

Launch and Manage the Self-Assessment

• Deploy CRI Profile-aligned questionnaires across departments, business units, or vendors
• Customize assessments based on your institution’s impact tier
• Monitor response rates, ownership, and completion in real time

Collect Evidence and Standardize Responses

• Allow users to attach evidence directly to each diagnostic statement
• Use predefined response types to enforce consistent scoring
• Provide context, help text, and response keys to reduce confusion

Track Progress and Identify Gaps

• Visualize assessment progress across all CRI functions and categories
• Highlight incomplete responses, unassigned questions, or missing documentation
• Flag partial or unclear answers for follow-up review

Link to Inventory and Risk Registers

• Associate control responses with relevant IT assets, applications, and vendors
• Push identified gaps into Isora’s integrated risk register for remediation tracking
• Log and manage policy exceptions in a structured exception register

Automate Reporting and Framework Alignment

• Generate audit-ready reports with supporting evidence and response summaries
• Map CRI Profile results to frameworks such as NIST CSF, ISO 27001, and GLBA
• Maintain historical versions for future exams or reassessments

By using Isora GRC, institutions reduce manual effort, improve accuracy, and create a repeatable process for CRI Profile assessments that scales with organizational complexity.

Check out the interactive demo of assessment management in Isora GRC below — or request a personalized demo.