GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders
Ex1: Update near-term and long-term cybersecurity risk management objectives as part of annual strategic planning and when major changes occur
Ex2: Establish measurable objectives for cybersecurity risk management (e.g., manage the quality of user training, ensure adequate risk protection for industrial control systems)
Ex3: Senior leaders agree about cybersecurity objectives and use them for measuring and managing risk and performance
Description
Risk management objectives are established and agreed to by organizational stakeholders