risk-management Controls

Implement a security management process to prevent, detect, contain, and correct security violations

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Risk management objectives are established and agreed to by organizational stakeholders

Risk appetite and risk tolerance statements are established, communicated, and maintained

Cybersecurity risk management activities and outcomes are included in enterprise risk management processes

Strategic direction that describes appropriate risk response options is established and communicated

Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties

A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussions

Supply chain risk management is integrated into enterprise risk management processes

Changes and exceptions are managed, assessed for risk impact, and tracked

Risk mitigation strategies are identified and implemented