GV.RM-P1: Risk management processes are established, managed, and agreed to by organizational stakeholders
CSF v1.1 References:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Note: This Privacy Framework Subcategory is identical to the Cybersecurity Framework Subcategory.
Related Controls
NIST Special Publication 800-53 Revision 5
PM-9: Risk Management Strategy
Develops a comprehensive strategy to manage: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and Privacy risk to individuals resulting from the authorized processing of personally identifiable information; Implement the risk management strategy consistently across the organization; and Review and update…
PM-28: Risk Framing
Identify and document: Assumptions affecting risk assessments, risk responses, and risk monitoring; Constraints affecting risk assessments, risk responses, and risk monitoring; Priorities and trade-offs considered by the organization for managing risk; and Organizational risk tolerance; Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and Review and update risk framing considerations [Assignment: organization-defined…
Cloud Controls Matrix v3.0.1
GRM-04: Management Program
An Information Security Management Program (ISMP) shall be developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security program shall include, but not be limited to, the following areas insofar as they relate to the characteristics of…
GRM-05: Management Support/Involvement
Executive and line management shall take formal action to support information security through clearly-documented direction and commitment, and shall ensure the action has been assigned.
GRM-11: Risk Management Framework
Risks shall be mitigated to an acceptable level. Acceptance levels based on risk criteria shall be established and documented in accordance with reasonable resolution time frames and stakeholder approval.
NIST Special Publication 800-53 Revision 4
PM-9: Risk Management Strategy
The organization: Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; Implements the risk management strategy consistently across the organization; and Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational…