GV.OV-03: Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed

Info icon.

Subcategory is new to this version of the framework.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Review key performance indicators (KPIs) to ensure that organization-wide policies and procedures achieve objectives

Ex2: Review key risk indicators (KRIs) to identify risks the organization faces, including likelihood and potential impact

Ex3: Collect and communicate metrics on cybersecurity risk management with senior leadership