Large U.S. Bank: Replacing FFIEC CAT with NIST CSF 2.0 Assessments

A large U.S. regional bank with operations across retail banking, commercial lending, wealth management, and mortgage services. Historically, the bank managed cybersecurity compliance through a combination of the FFIEC Cybersecurity Assessment Tool (CAT) and Archer IRM workflows. As regulatory expectations shifted toward continuous cybersecurity maturity tracking and the bank faced increasing pressure to demonstrate ongoing GLBA Safeguards Rule compliance, the bank recognized the need for a more purpose-built, flexible solution to modernize its information security risk management (ISRM) program.

The Challenge

The bank’s information security risk management efforts were historically centralized, relying on FFIEC CAT assessments and Archer IRM workflows managed primarily by the compliance and security teams. As regulatory expectations evolved, the bank faced multiple converging challenges.

First, they needed to extend risk assessments across every major business unit, not just at the enterprise level. Departments such as information security, private banking, community banking, commercial lending, and mortgage services all needed to actively participate. Coordinating input from IT staff, business unit leaders, and end users across the organization strained existing processes built for one-time assessments rather than ongoing collaboration.

Second, the bank needed to migrate from the FFIEC Cybersecurity Assessment Tool to a more flexible, risk-based framework: the NIST Cybersecurity Framework (CSF) 2.0. Their existing tools were not designed to support NIST CSF-aligned self-assessments at scale, nor to track control implementation and maturity across distributed teams.

Third, the bank needed to demonstrate ongoing compliance with the GLBA Safeguards Rule’s process requirements. GLBA demands more than annual documentation. It requires ongoing risk assessment processes (§314.4(b)), regular testing and monitoring (§314.4(d)(1)), systematic third-party risk management (§314.4(f)), and documented board reporting (§314.4(i)). The bank’s existing approach, built on static FFIEC CAT assessments and spreadsheet tracking, could not support these ongoing operational workflows.

Without a better platform, the bank risked falling behind regulatory expectations for both cybersecurity maturity and GLBA compliance.

“Trying to run cybersecurity assessments across dozens of departments with static templates was not sustainable. We needed a way to collect real input, without chasing people manually or losing oversight.”
IT GRC Manager, Large U.S. Bank

Why They Chose Isora GRC

The bank needed a platform purpose-built for operational cybersecurity risk management, not another bloated, legacy GRC system. Isora GRC offered a fast, structured way to deploy department-by-department self-assessments mapped to the NIST Cybersecurity Framework 2.0. Its flexible workflows made it easy to collect input from IT staff, business unit leaders, and end users without overwhelming participants or losing consistency.

Critically, the same assessment-driven approach that enabled NIST CSF 2.0 maturity tracking also solved the bank’s GLBA compliance challenges. By building recurring assessments, maintaining a connected risk register, centralizing vendor management, and automating reporting, the bank could meet GLBA’s ongoing process requirements without managing separate compliance workflows.

Unlike traditional GRC suites, Isora allowed the bank to maintain a clear line of sight across multiple teams, align control evaluations to NIST CSF functions, produce actionable reports for cybersecurity leadership and regulators, and demonstrate continuous GLBA compliance. Adoption was a critical factor: business units needed a platform simple enough to use independently, yet powerful enough to enforce structured, auditable cybersecurity assessments.

“We were not looking for another bloated GRC system. We needed a tool that could fit how we actually operate and give us clean, defensible data tied to NIST CSF maturity. Isora gave us that structure without the overhead.”
CISO, Large U.S. Bank

Implementation and Adoption

The bank deployed Isora GRC in phases, starting with core cybersecurity and information security risk teams. Within the first 60 days, they built custom self-assessments aligned to NIST Cybersecurity Framework 2.0 categories and functions. Each major business unit (including information security, private banking, community banking, commercial lending, and mortgage services) received tailored assessment templates structured around their unique operations and technology environments.

To ensure full organizational alignment, Isora GRC was configured to mirror the bank’s existing governance and reporting structure, which was maintained in their SAP LeanIX platform. Business units, ownership hierarchies, and application groupings defined in LeanIX were reflected in Isora’s workflows, enabling accurate assignment of assessments, risk ownership, and remediation responsibilities.

Isora’s intuitive interface made it easy for IT leads and department heads to complete self-assessments, submit evidence, and track progress without extensive training. Assessments were centrally reviewed by the cybersecurity risk team, enabling maturity scoring, identification of control gaps, and prioritization of remediation efforts.

In parallel, the bank established GLBA-specific workflows within the same platform. Vendor management was centralized in Isora’s inventory system, with scheduled reassessments to meet §314.4(f) requirements. Control testing workflows were standardized through recurring assessments. Board reporting dashboards were configured to pull directly from live assessment and risk data, satisfying §314.4(i) documentation requirements.

By creating a standardized, governance-aligned process across departments, the bank established a sustainable foundation for continuous cybersecurity maturity tracking and GLBA compliance without reverting to manual spreadsheets or ad hoc surveys.

“Mapping our existing governance model into Isora was a huge unlock. It let us launch assessments that matched our real reporting structure instead of forcing people into a compliance exercise that felt disconnected.”
IT GRC Manager, Large U.S. Bank

The Results

Within the first year of deploying Isora GRC, the bank achieved real-time visibility into cybersecurity maturity across all major business units. Department-specific self-assessments provided leadership with clear, actionable insights into control gaps, risk ownership, and remediation timelines, something that had not been possible with static FFIEC CAT checklists or slow Archer workflows.

By aligning assessments with the NIST Cybersecurity Framework 2.0 and their governance structure from SAP LeanIX, the bank was able to centralize assessments, supporting evidence, and risk documentation in a single platform. This allowed the cybersecurity team to easily demonstrate ongoing security work and maturity progress to auditors and regulators without the need for scattered spreadsheets or manual evidence gathering.

Using Isora’s scoring and reporting capabilities, the security team identified specific NIST CSF domains where the organization was most deficient, enabling the CISO to prioritize initiatives strategically and drive targeted security improvements. Efficiency also improved significantly: launching, managing, and tracking assessments became faster and easier, and the team established an active IT Risk Register to track security control gaps and remediation status across the organization.

Simultaneously, the bank established documented GLBA compliance processes. Vendor oversight became systematic, with scheduled reassessments for service providers tracked in Isora’s inventory. Control testing evidence was centralized and easily retrievable for audits. Board reporting transformed from a manual quarterly ordeal into an automated process pulling live data from assessments and the risk register.

Overall, the bank reduced manual tracking and assessment preparation efforts by more than 40%, improved cross-department collaboration, and shifted its cybersecurity risk management program from a static compliance exercise to a dynamic, continuous improvement model aligned to regulatory expectations for both NIST CSF maturity and GLBA compliance.

“For the first time, we can see where we are strong and where we have real gaps, and that is coming from business units themselves, not just the security team. That visibility changed how we prioritize and justify cybersecurity investments.”
CISO, Large U.S. Bank

Looking Forward

Building on the success of its initial deployment, the bank is expanding its use of Isora GRC to deepen cybersecurity governance and risk management efforts across the organization. Current initiatives include rolling out self-assessments to additional business units and subsidiaries, conducting follow-up assessments to measure improvements in cybersecurity maturity, and working directly with individual departments to develop targeted risk management plans.

The bank is also launching asset-based assessments against critical applications to strengthen visibility into system-level risks and control effectiveness. In parallel, the team is leveraging Isora to manage its Third-Party Security Risk Management (TPSRM) program, centralizing vendor assessments, tracking external risks, and ensuring that third-party relationships meet internal cybersecurity standards and GLBA requirements.

With a centralized, flexible platform supporting both internal and third-party risk activities, the bank is building a sustainable, scalable cybersecurity risk management program aligned to evolving regulatory expectations and operational resilience goals.

“Now we are building asset-based assessments and third-party reviews on the same foundation. We finally have a repeatable, operational model for cybersecurity risk management instead of starting from scratch every year.”
IT GRC Manager, Large U.S. Bank