GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: ID.GV-4: Governance and risk management processes address cybersecurity risks.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Aggregate and manage cybersecurity risks alongside other enterprise risks (e.g., compliance, financial, operational, regulatory, reputational, safety)

Ex2: Include cybersecurity risk managers in enterprise risk management planning

Ex3: Establish criteria for escalating cybersecurity risks within enterprise risk management