strategy Controls

The organizational mission is understood and informs cybersecurity risk management

Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Risk management objectives are established and agreed to by organizational stakeholders

Risk appetite and risk tolerance statements are established, communicated, and maintained

Strategic direction that describes appropriate risk response options is established and communicated

Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussions