My organization utilizes Risk Assessments as the catalyst for a lot of our Information Security efforts. Currently we assess applications using the cloud security alliance's CAIQ framework and questionnaire. However while 90% of what gets assessed is cloud based, I think we need another set of questions for internal assets.
Question: Has anyone ever worked within an organization that utilizes multiple frameworks that would switch between the framework based on the type of data or technical specifications in order to complete a risk assessment?