GV.RM-01:
Risk management objectives are established and agreed to by organizational stakeholders
Implementation Examples
Ex1:
Update near-term and long-term cybersecurity risk management objectives as part of annual strategic planning and when major changes occur
Ex2:
Establish measurable objectives for cybersecurity risk management (e.g., manage the quality of user training, ensure adequate risk protection for industrial control systems)
Ex3:
Senior leaders agree about cybersecurity objectives and use them for measuring and managing risk and performanc