The organisation has a strategy for cyber risk management, which may be developed and managed in an ad hoc manner
Context and Guidance: The organisation develops, implements, and maintains a cybersecurity risk management strategy that, in its simplest form, includes a list of cyber risk management objectives and related actions, activities, and tasks and a plan to implement them.
For a C2M2-based program, areas of activity in the strategy could align with objectives in the C2M2 RISK domain and their associated practices. For example, the strategy may include important information about the organisation's processes for identifying, analysing, and responding to cyber risks. Further detail may include the high-level categories into which risks are consolidated, criteria for determining cyber risk priority, and a summary of risk response techniques to be applied to risks, and is the assignment of responsibility for implementation of the strategy.
Related Practices Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RISK-1a, RISK-1b, RISK-1c, RISK-1g, RISK-1h.