GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Update near-term and long-term cybersecurity risk management objectives as part of annual strategic planning and when major changes occur

Ex2: Establish measurable objectives for cybersecurity risk management (e.g., manage the quality of user training, ensure adequate risk protection for industrial control systems)

Ex3: Senior leaders agree about cybersecurity objectives and use them for measuring and managing risk and performance