Large U.S. Bank: Replacing FFIEC CAT with NIST CSF 2.0 Assessments

A large U.S. regional bank with operations across retail banking, commercial lending, wealth management, and mortgage services. Historically, the bank managed cybersecurity compliance through a combination of the FFIEC Cybersecurity Assessment Tool (CAT) and Archer IRM workflows. As regulatory expectations shifted toward continuous cybersecurity maturity tracking, the bank recognized the need for a more purpose-built, flexible solution to modernize its information security risk management (ISRM) program.

The Challenge

The bank’s information security risk management efforts were historically centralized, relying on FFIEC CAT assessments and Archer IRM workflows managed primarily by the compliance and security teams. As regulatory expectations evolved, the bank faced two major challenges. First, they needed to extend risk assessments across every major business unit—not just at the enterprise level. Departments such as information security, private banking, community banking, commercial lending, and mortgage services all needed to actively participate. Coordinating input from IT staff, business unit leaders, and end users across the organization strained existing processes built for one-time assessments rather than ongoing collaboration.

Second, the bank needed to migrate from the FFIEC Cybersecurity Assessment Tool to a more flexible, risk-based framework: the NIST Cybersecurity Framework (CSF) 2.0. Their existing tools were not designed to support NIST CSF-aligned self-assessments at scale, nor to track control implementation and maturity across distributed teams. Without a better platform, the bank risked falling behind regulatory expectations for cybersecurity maturity and continuous risk management.

“Trying to run cybersecurity assessments across dozens of departments with static templates was not sustainable. We needed a way to collect real input, without chasing people manually or losing oversight.”
IT GRC Manager, Large U.S. Bank

Why They Chose Isora GRC

The bank needed a platform purpose-built for operational cybersecurity risk management, not another bloated, legacy GRC system. Isora GRC offered a fast, structured way to deploy department-by-department self-assessments mapped to the NIST Cybersecurity Framework 2.0. Its flexible workflows made it easy to collect input from IT staff, business unit leaders, and end users without overwhelming participants or losing consistency.

Unlike traditional GRC suites, Isora allowed the bank to maintain a clear line of sight across multiple teams, align control evaluations to NIST CSF functions, and produce actionable reports for cybersecurity leadership and regulators. Adoption was a critical factor: business units needed a platform simple enough to use independently, yet powerful enough to enforce structured, auditable cybersecurity assessments.

“We were not looking for another bloated GRC system. We needed a tool that could fit how we actually operate and give us clean, defensible data tied to NIST CSF maturity. Isora gave us that structure without the overhead.”
CISO, Large U.S. Bank

Implementation and Adoption

The bank deployed Isora GRC in phases, starting with core cybersecurity and information security risk teams. Within the first 60 days, they built custom self-assessments aligned to NIST Cybersecurity Framework 2.0 categories and functions. Each major business unit—including information security, private banking, community banking, commercial lending, and mortgage services—received tailored assessment templates structured around their unique operations and technology environments.

To ensure full organizational alignment, Isora GRC was configured to mirror the bank’s existing governance and reporting structure, which was maintained in their SAP LeanIX platform. Business units, ownership hierarchies, and application groupings defined in LeanIX were reflected in Isora’s workflows, enabling accurate assignment of assessments, risk ownership, and remediation responsibilities.

Isora’s intuitive interface made it easy for IT leads and department heads to complete self-assessments, submit evidence, and track progress without extensive training. Assessments were centrally reviewed by the cybersecurity risk team, enabling maturity scoring, identification of control gaps, and prioritization of remediation efforts. By creating a standardized, governance-aligned process across departments, the bank established a sustainable foundation for continuous cybersecurity maturity tracking without reverting to manual spreadsheets or ad hoc surveys.

“Mapping our existing governance model into Isora was a huge unlock. It let us launch assessments that matched our real reporting structure instead of forcing people into a compliance exercise that felt disconnected.”
IT GRC Manager, Large U.S. Bank

The Results

Within the first year of deploying Isora GRC, the bank achieved real-time visibility into cybersecurity maturity across all major business units. Department-specific self-assessments provided leadership with clear, actionable insights into control gaps, risk ownership, and remediation timelines—something that had not been possible with static FFIEC CAT checklists or slow Archer workflows.

By aligning assessments with the NIST Cybersecurity Framework 2.0 and their governance structure from SAP LeanIX, the bank was able to centralize assessments, supporting evidence, and risk documentation in a single platform. This allowed the cybersecurity team to easily demonstrate ongoing security work and maturity progress to auditors and regulators without the need for scattered spreadsheets or manual evidence gathering.

Using Isora’s scoring and reporting capabilities, the security team identified specific NIST CSF domains where the organization was most deficient, enabling the CISO to prioritize initiatives strategically and drive targeted security improvements. Efficiency also improved significantly: launching, managing, and tracking assessments became faster and easier, and the team established an active IT Risk Register to track security control gaps and remediation status across the organization.

Overall, the bank reduced manual tracking and assessment preparation efforts by more than 40%, improved cross-department collaboration, and shifted its cybersecurity risk management program from a static compliance exercise to a dynamic, continuous improvement model aligned to regulatory expectations.

“For the first time, we can see where we are strong and where we have real gaps — and that is coming from business units themselves, not just the security team. That visibility changed how we prioritize and justify cybersecurity investments.”
CISO, Large U.S. Bank

Looking Forward

Building on the success of its initial deployment, the bank is expanding its use of Isora GRC to deepen cybersecurity governance and risk management efforts across the organization. Current initiatives include rolling out self-assessments to additional business units and subsidiaries, conducting follow-up assessments to measure improvements in cybersecurity maturity, and working directly with individual departments to develop targeted risk management plans.

The bank is also launching asset-based assessments against critical applications to strengthen visibility into system-level risks and control effectiveness. In parallel, the team is leveraging Isora to manage its Third-Party Security Risk Management (TPSRM) program—centralizing vendor assessments, tracking external risks, and ensuring that third-party relationships meet internal cybersecurity standards.

With a centralized, flexible platform supporting both internal and third-party risk activities, the bank is building a sustainable, scalable cybersecurity risk management program aligned to evolving regulatory expectations and operational resilience goals.

“Now we are building asset-based assessments and third-party reviews on the same foundation. We finally have a repeatable, operational model for cybersecurity risk management instead of starting from scratch every year.”
IT GRC Manager, Large U.S. Bank