GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Establish criteria for using a quantitative approach to cybersecurity risk analysis, and specify probability and exposure formulas

Ex2: Create and use templates (e.g., a risk register) to document cybersecurity risk information (e.g., risk description, exposure, treatment, and ownership)

Ex3: Establish criteria for risk prioritization at the appropriate levels within the enterprise

Ex4: Use a consistent list of risk categories to support integrating, aggregating, and comparing cybersecurity risks