Risk management strategy (GV.RM)
While risk identification may not start at the top of the organization, the discussion around it should. The ELT must have these discussions regarding how the organization wants to manage and eliminate the risks associated with doing business. This includes managing assets both internal and external to the organization. This also draws attention to the need for enterprise risk management, which will be discussed later in this section.
GV.RM-01
In Chapter 2, we discussed building profiles for current and future state objectives. These plans should be updated at least annually to project the overall strategy being used to minimize cyber risk. Evaluating the current and future states can better prepare you for updating your overall cyber strategy and keep you on track for what you intend to accomplish.
This does not mean that risk should be taken out of...
