GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
Ex1: Establish criteria for using a quantitative approach to cybersecurity risk analysis, and specify probability and exposure formulas
Ex2: Create and use templates (e.g., a risk register) to document cybersecurity risk information (e.g., risk description, exposure, treatment, and ownership)
Ex3: Establish criteria for risk prioritization at the appropriate levels within the enterprise
Ex4: Use a consistent list of risk categories to support integrating, aggregating, and comparing cybersecurity risks
Tier
Description
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated