Cyber risks are prioritised based on estimated impact, at least in an ad hoc manner
Context and Guidance: Potential impact to the organisation of identified risks should be evaluated and used to prioritise cyber risks. A higher priority cyber risk should receive greater attention when determining potential mitigations or responses. Prioritisation should focus on criteria deemed important to the enterprise such as safety impacts, operational impacts, and financial impacts (e.g., cost of recovery, potential cost of downtime or lost data). Prioritisation may use qualitative methods to indicate relative impact level (e.g., High, Medium, Low).
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RISK-3a, RISK-3b.