Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
Explanation
Regular updates to cybersecurity risk management objectives ensure alignment with evolving business goals and the changing threat landscape. This process should incorporate both short-term tactical objectives and long-term strategic goals, with updates triggered by annual planning cycles and significant events such as mergers, new regulations, or major security incidents.
Evidence could include documented cybersecurity objectives within strategic planning documents, meeting minutes showing risk objective discussions, a risk management framework that includes review triggers, or before/after examples of how objectives were modified following organizational changes.
Implementation Example
Update near-term and long-term cybersecurity risk management objectives as part of annual strategic planning and when major changes occur
ID: GV.RM-01.012
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Risk management objectives are established and agreed to by organizational stakeholders
Related questions
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?
- Does your organization integrate cybersecurity risk management into its enterprise risk management framework?

