Has your organization established measurable objectives for cybersecurity risk management?
Explanation
Measurable objectives provide concrete targets that enable an organization to track progress in managing cybersecurity risks.
Examples include metrics for user training completion rates (e.g., 95% of employees complete security awareness training), incident response time targets (e.g., critical vulnerabilities remediated within 48 hours), or specific risk reduction goals for critical systems (e.g., reduce high-risk findings in industrial control systems by 50% year-over-year).
Evidence of fulfillment could include a documented cybersecurity program with clearly defined key performance indicators (KPIs), risk management dashboards showing progress against objectives, or regular reports to leadership that track cybersecurity metrics against established targets.
Implementation Example
Establish measurable objectives for cybersecurity risk management (e.g., manage the quality of user training, ensure adequate risk protection for industrial control systems)
ID: GV.RM-01.013
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Risk management objectives are established and agreed to by organizational stakeholders
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?
- Does your organization integrate cybersecurity risk management into its enterprise risk management framework?

