Risk management objectives are established and agreed to by organizational stakeholders
Without agreed-upon risk management objectives, different parts of the organization will make security decisions based on conflicting assumptions, leading to gaps in some areas and redundant spending in others. Formally establishing and gaining sign-off on what the organization is trying to achieve with its risk program creates a shared foundation for every downstream risk decision. It also gives leadership a clear basis for evaluating whether the security program is delivering value.
Implementation steps
- 1
Define draft risk management objectives with security leadership
The CISO or security lead should draft three to seven specific, measurable objectives for the risk management program. Examples include: reduce the likelihood of a material data breach by X%, ensure 100% of critical systems are covered by a risk assessment, or maintain cyber insurance eligibility. Ground objectives in business outcomes, not just technical metrics.
confluencenotiongoogle-docs - 2
Review and approve objectives with key stakeholders
Present the draft objectives to the executive team and relevant business unit leaders. Capture agreement in writing via meeting minutes, email sign-off, or a formal policy approval. Ensure that objectives reflect both security needs and business priorities.
confluencegoogle-docsdocusign - 3
Publish objectives and link them to the risk management program
Document the approved objectives in a risk management charter or policy. Reference them in the risk register and use them as the basis for quarterly or annual program reviews. Make them accessible to everyone involved in risk-related decisions.
confluencenotiongoogle-docsjira
Evidence required
Approved risk management objectives document
A written document listing the organization's cybersecurity risk management objectives, with evidence of stakeholder review and approval.
- · Risk management charter signed by the CISO and CEO
- · Board meeting minutes approving cybersecurity risk objectives
- · Signed policy document including an objectives section
Stakeholder sign-off or approval record
Evidence that relevant stakeholders across the organization have reviewed and agreed to the risk management objectives.
- · Email chain showing executive acknowledgment of objectives
- · DocuSign or similar signature record on the risk charter
- · Meeting minutes with attendees and resolution recorded
Related controls
Risk appetite and risk tolerance statements are established, communicated, and maintained
Risk Management Strategy
Strategic direction that describes appropriate risk response options is established and communicated
Risk Management Strategy
Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussions
Risk Management Strategy
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
Risk Management Strategy