The cyber risk management program aligns with the organisation's mission and objectives
Context and Guidance: The cyber risk management program may be a component of an Enterprise Risk Management (ERM) program or may be a standalone program. If part of an ERM, the cyber risk program should be modeled after the enterprise-wide program to ensure that stakeholders are efficiently engaged and cyber risk information can be more easily integrated into overall ERM activities. A standalone program should use the cyber risk management strategy, along with the organisation's mission and objectives to build the direction of program activities through documents like policies and procedures. Relevant stakeholders should be engaged to ensure the activities of the program are in alignment with operational and business areas of the organisation. Regardless of whether the program is standalone or part of an ERM, the cyber risk program should take the risk appetite of the organisation into account when forming program-level activities. The risk appetite of the organisation is the amount of risk that the organisation is willing to accept, as defined by senior leadership. Certain thresholds or boundaries may be established that would indicate if a risk is greater than organisational acceptance levels.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RISK-1a, RISK-1b, RISK-1c, RISK-1g, RISK-1h.