Has your organization established documented risk acceptance criteria for different data classifications?
Explanation
Risk acceptance criteria define the thresholds at which your organization is willing to accept, mitigate, transfer, or avoid cybersecurity risks based on data sensitivity levels.
These criteria should align with your data classification scheme (e.g., public, internal, confidential, restricted) and specify different handling requirements for each level.
For example, risks to public data might have higher acceptance thresholds than those affecting restricted data containing regulated information.
Evidence could include a formal risk management policy document that clearly outlines acceptance criteria for each data classification, risk assessment templates showing different thresholds by data type, or documented risk acceptance decisions that reference these criteria.
Implementation Example
Specify criteria for accepting and avoiding cybersecurity risk for various classifications of data
ID: GV.RM-04.021
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Strategic direction that describes appropriate risk response options is established and communicated
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?

