NIST CSF 2.0 · All Functions · GV Govern · GV.RM Risk Management Strategy

GV.RM-01

Risk management objectives are established and agreed to by organizational stakeholders

Implementation examples

Ex1: Update near-term and long-term cybersecurity risk management objectives as part of annual strategic planning and when major changes occur
Ex2: Establish measurable objectives for cybersecurity risk management (e.g., manage the quality of user training, ensure adequate risk protection for industrial control systems)
Ex3: Senior leaders agree about cybersecurity objectives and use them for measuring and managing risk and performance

Mapped NIST 800-53 r5 controls (3)

All informative references (39)

CCMv4.0: GRC-02
CCMv4.0: CEK-07
CRI Profile v2.0: GV.RM-01
CRI Profile v2.0: GV.RM-01.01
CRI Profile v2.0: GV.RM-01.02
CRI Profile v2.0: GV.RM-01.03
CRI Profile v2.0: GV.RM-01.04
CRI Profile v2.0: GV.RM-01.05
CSF v1.1: ID.RM-1
CoP: A1
IRP: IRP-Sec-2
IRP: IRP-Sec-2
IRP: IRP-Sec-2
ISO/IEC 27001:2022: Mandatory Clause: 6.1.1
ISO/IEC 27001:2022: Mandatory Clause: 6.1.2
ISO/IEC 27001:2022: Annex A Controls: 5.1
NICE Framework: OG-WRL-002
NICE Framework: OG-WRL-007
NICE Framework: OG-WRL-008
NICE Framework: OG-WRL-011
NICE Framework: OG-WRL-012
NICE Framework: OG-WRL-013
NICE Framework: OG-WRL-014
NICE Framework: OG-WRL-015
PCI DSS: 12.1.4
PCI DSS: 12.1.2
PCI DSS: 12.1.1
SCF: GOV-01
SCF: RSK-01
SP 800-171 Rev 3: 03.11.04
SP 800-171 Rev 3: 03.17.01
SP 800-221A: GV.RR-2
SP 800-53 Rev 5.1.1: PM-09
SP 800-53 Rev 5.1.1: RA-07
SP 800-53 Rev 5.1.1: SR-02
SP 800-53 Rev 5.2.0: PM-09
SP 800-53 Rev 5.2.0: RA-07
SP 800-53 Rev 5.2.0: SR-02
SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).