Is your cybersecurity risk management function integrated into your organization's enterprise risk management (ERM) processes?
Explanation
Integration is the focus here: reviewers want to see cybersecurity risk managed within your broader enterprise risk management (ERM) processes rather than in a silo. Effective integration ensures cybersecurity considerations influence strategic business decisions, resource allocation, and risk acceptance thresholds across the enterprise.
Evidence could include documentation showing cybersecurity representation in ERM committee meetings, risk registers that incorporate cybersecurity risks alongside other business risks, or formal governance documentation defining how cybersecurity risk management interfaces with enterprise risk management processes.
Implementation Example
Include cybersecurity risk managers in enterprise risk management planning
ID: GV.RM-03.019
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?

