Does your organization integrate cybersecurity risk management into its enterprise risk management framework?
Explanation
Integration of cyber risk into enterprise risk management is what's being assessed, specifically whether cybersecurity risks are weighed alongside financial, operational, compliance, and reputational risks rather than in isolation. Integrating cybersecurity into the broader risk management framework ensures consistent risk evaluation, prioritization, and resource allocation across the organization.
Evidence could include an enterprise risk register that incorporates cybersecurity risks, meeting minutes from risk committee discussions that address cybersecurity alongside other risks, or a documented risk management framework that explicitly includes cybersecurity risk categories with the same assessment methodology used for other business risks.
Implementation Example
Aggregate and manage cybersecurity risks alongside other enterprise risks (e.g., compliance, financial, operational, regulatory, reputational, safety)
ID: GV.RM-03.018
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?

