The cyber risk management program aligns with the organization's mission and objectives

The cyber risk management program may be a component of an Enterprise Risk Management (ERM) program or may be a standalone program. If part of an ERM, the cyber risk program should be modeled after the enterprise-wide program to ensure that stakeholders are efficiently engaged and cyber risk information can be more easily integrated into overall ERM activities. A standalone program should use the cyber risk management strategy, along with the organization's mission and objectives to build the direction of program activities through documents like policies and procedures. Relevant stakeholders should be engaged to ensure the activities of the program are in alignment with operational and business areas of the organization. Regardless of whether the program is standalone or part of an ERM, the cyber risk program should take the risk appetite of the organization into account when forming program-level activities. The risk appetite of the organization is the amount of risk that the organization is willing to accept, as defined by senior leadership. Certain thresholds or boundaries may be established that would indicate if a risk is greater than organizational acceptance levels.

Related Practices · Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RISK-1a, RISK-1b, RISK-1c, RISK-1g, RISK-1h.