The cyber risk management program is coordinated with the organisation’s enterprise-wide risk management program
Context and Guidance: Alignment of these strategies avoids mismatched expectations between business and technical stakeholders. For example, the enterprise goals of protecting intellectual property and sensitive business data are supported by the cybersecurity goals of minimising attack surfaces and establishing secure defaults. Cyber risks should be communicated as components or contributors to overall risk and should be communicated in the same terms where possible. Within an enterprise that has no enterprise risk management functions, this practice may be implemented by aligning risk management practices to enterprise level management functions and ensuring that domain activities are occurring at the enterprise level as appropriate (for example, establishment of strategy, risk management program governance, stakeholder and leadership communication, resourcing, assignment of roles and responsibilities, tracking effectiveness).
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RISK-1a, RISK-1b, RISK-1c, RISK-1g, RISK-1h.