RISE 2026 Control Table
The table below lists the operational controls covered in the RISE 2026 benchmark. The controls are grouped by category so teams can use the table as a compact reference when assessing maturity, planning remediation work, or preparing evidence for internal and external reviews.
The maturity columns are intentionally left blank so organizations can record their current state, target state, or assessment notes directly against each control.
| Category | Control name | level 1 | level 2 | level 3 | level 4 | level 5 |
|---|---|---|---|---|---|---|
| Governance and Risk Management | Define a formal resilience governance model with clear accountability | |||||
| Governance and Risk Management | Perform regular resilience risk assessments and maintain a risk register | |||||
| Governance and Risk Management | Define resilience objectives and tolerances for critical services | |||||
| Governance and Risk Management | Establish exception management and compensating controls for unmet requirements | |||||
| Governance and Risk Management | Report resilience posture and remediation progress to leadership regularly | |||||
| Third-Party and SaaS Resilience | Maintain an inventory of critical third-party and SaaS dependencies | |||||
| Third-Party and SaaS Resilience | Assess concentration risk and exit readiness for critical providers | |||||
| Third-Party and SaaS Resilience | Define minimum resilience and security requirements for suppliers | |||||
| Third-Party and SaaS Resilience | Monitor supplier performance, incidents, and contractual recovery commitments | |||||
| Third-Party and SaaS Resilience | Test contingency plans for third-party and SaaS disruption | |||||
| Data Backup and Recovery | Establish a regular backup schedule for critical data | |||||
| Data Backup and Recovery | Store backups in multiple locations (offsite and/or cloud-based storage) | |||||
| Data Backup and Recovery | Implement a versioning system to track and restore previous versions of data | |||||
| Data Backup and Recovery | Encrypt backups to protect sensitive data | |||||
| Data Backup and Recovery | Test backup and recovery processes periodically to ensure data integrity | |||||
| Network redundancy and failover | Implement redundant network connections to prevent single points of failure | |||||
| Network redundancy and failover | Use load balancers to distribute traffic evenly across resources | |||||
| Network redundancy and failover | Employ network failover solutions (e.g., redundant routers, switches) | |||||
| Network redundancy and failover | Monitor network performance and latency to detect potential issues | |||||
| Network redundancy and failover | Test network redundancy and failover processes to ensure proper functioning | |||||
| Infrastructure monitoring and alerting | Implement a monitoring system to track the health and performance of cloud infrastructure | |||||
| Infrastructure monitoring and alerting | Set up alerts for critical events and performance thresholds | |||||
| Infrastructure monitoring and alerting | Monitor resource usage to identify potential bottlenecks and capacity issues | |||||
| Infrastructure monitoring and alerting | Establish a centralized logging system to collect and analyze logs from various components | |||||
| Infrastructure monitoring and alerting | Regularly review monitoring data to identify trends and improve infrastructure resilience | |||||
| Incident response planning | Develop a formal incident response plan, including roles and responsibilities | |||||
| Incident response planning | Establish a communication plan for internal and external stakeholders during incidents | |||||
| Incident response planning | Perform regular incident response drills to test and refine the plan | |||||
| Incident response planning | Document lessons learned from incidents and update the incident response plan accordingly | |||||
| Incident response planning | Provide training for staff on incident response processes and best practices | |||||
| Business Continuity and Crisis Management | Perform business impact analysis for critical services and processes | |||||
| Business Continuity and Crisis Management | Define business continuity plans and manual workaround procedures | |||||
| Business Continuity and Crisis Management | Establish a crisis management structure for severe disruptions | |||||
| Business Continuity and Crisis Management | Exercise continuity and crisis scenarios with business and technical stakeholders | |||||
| Business Continuity and Crisis Management | Review continuity assumptions and recovery priorities after major change | |||||
| Capacity planning and scaling | Regularly assess infrastructure capacity and plan for growth | |||||
| Capacity planning and scaling | Implement auto-scaling strategies to handle fluctuating workloads | |||||
| Capacity planning and scaling | Use load testing to identify capacity limits and potential bottlenecks | |||||
| Capacity planning and scaling | Monitor resource usage to anticipate and address potential capacity issues | |||||
| Capacity planning and scaling | Review and update capacity plans based on changing business requirements and growth | |||||
| Identity, Secrets, and Administrative Access | Centralize and harden privileged identity administration | |||||
| Identity, Secrets, and Administrative Access | Use short-lived credentials and just-in-time access for privileged operations | |||||
| Identity, Secrets, and Administrative Access | Manage secrets with controlled storage, rotation, and access policies | |||||
| Identity, Secrets, and Administrative Access | Protect and test emergency access and break-glass procedures | |||||
| Identity, Secrets, and Administrative Access | Govern machine identities and service credentials across workloads | |||||
| Security and access controls | Implement strong authentication and authorization mechanisms | |||||
| Security and access controls | Regularly review and update user access permissions | |||||
| Security and access controls | Enable encryption for data at rest and in transit | |||||
| Security and access controls | Apply security patches and updates promptly | |||||
| Security and access controls | Conduct regular vulnerability assessments and penetration testing | |||||
| Software Delivery and Supply Chain Resilience | Protect source code, build systems, and deployment pipelines from unauthorized change | |||||
| Software Delivery and Supply Chain Resilience | Maintain traceability and integrity for build artifacts and releases | |||||
| Software Delivery and Supply Chain Resilience | Control dependency and base image risk through continuous inventory and update processes | |||||
| Software Delivery and Supply Chain Resilience | Design deployments for safe rollback and progressive release | |||||
| Software Delivery and Supply Chain Resilience | Test CI/CD recovery and release continuity during platform disruption | |||||
| Application resiliency and fault tolerance | Design applications to be stateless and horizontally scalable | |||||
| Application resiliency and fault tolerance | Implement circuit breakers and retries to handle transient faults | |||||
| Application resiliency and fault tolerance | Use health checks and load balancing to distribute traffic among instances | |||||
| Application resiliency and fault tolerance | Isolate application components to limit the impact of failures | |||||
| Application resiliency and fault tolerance | Monitor application performance and error rates to identify potential issues | |||||
| Data center and geographic redundancy | Deploy infrastructure across multiple data centers or availability zones | |||||
| Data center and geographic redundancy | Use geo-replication to store data redundantly across different regions | |||||
| Data center and geographic redundancy | Implement global load balancing to distribute traffic across data centers | |||||
| Data center and geographic redundancy | Test failover processes between data centers to ensure smooth recovery | |||||
| Data center and geographic redundancy | Regularly review and update data center redundancy strategies based on evolving needs | |||||
| Regular resilience testing and validation | Conduct regular disaster recovery and failover tests | |||||
| Regular resilience testing and validation | Use chaos engineering techniques to simulate failures and test system resilience | |||||
| Regular resilience testing and validation | Test backup and recovery processes to validate data integrity | |||||
| Regular resilience testing and validation | Perform load and stress tests to identify capacity limits and potential bottlenecks | |||||
| Regular resilience testing and validation | Use the results of testing to inform updates and improvements to infrastructure resilience | |||||
| Documentation and Knowledge Sharing | Document architecture, processes, and best practices for cloud resilience | |||||
| Documentation and Knowledge Sharing | Maintain a centralized knowledge base for easy access to documentation | |||||
| Documentation and Knowledge Sharing | Regularly review and update documentation to reflect changes and improvements | |||||
| Documentation and Knowledge Sharing | Encourage knowledge sharing and collaboration among team members | |||||
| Documentation and Knowledge Sharing | Provide training and resources to help staff stay informed about resilience |