Identified cyber risks are consolidated into categories (for example, data breaches, insider mistakes, ransomware, OT control takeover) to facilitate management at the category level
Context and Guidance: Categories of cyber risk are established and may be based on common operational risks such as data breaches, insider mistakes, ransomware, or OT control takeover. The organisation should determine the necessary granularity to effectively manage cyber risks. After a cyber risk is identified, it should be assigned to one of the defined categories. The categories will help the organisation to more effectively analyse and respond to risks. The cyber risk categories may be a part of a larger taxonomy maintained by the organisation's risk management program that also includes key terms and definitions. This capability will help enable organisations to manage risks at the category level but managing risks at the category level is not required for implementation of this practice.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RISK-2d, RISK-2e, RISK-2f, RISK-2i, RISK-2j, RISK-2k, RISK-2l, RISK-3f.