GV.RM-07
Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
Implementation examples
- Ex1: Define and communicate guidance and methods for identifying opportunities and including them in risk discussions (e.g., strengths, weaknesses, opportunities, and threats [SWOT] analysis)
- Ex2: Identify stretch goals and document them
- Ex3: Calculate, document, and prioritize positive risks alongside negative risks
Mapped NIST 800-53 r5 controls (5)
All informative references (23)
- CCMv4.0: GRC-02
- CRI Profile v2.0: GV.RM-07
- CRI Profile v2.0: GV.RM-07.01
- ISO/IEC 27001:2022: Mandatory Clause: 6.11
- ISO/IEC 27001:2022: Annex A Controls: None
- NICE Framework: OG-WRL-002
- NICE Framework: OG-WRL-007
- NICE Framework: OG-WRL-015
- SCF: RSK-01.1
- SDOS: SDOS-GV-02
- SDOS: SDOS-RM-01
- SP 800-171 Rev 3: 03.11.01
- SP 800-53 Rev 5.1.1: PM-09
- SP 800-53 Rev 5.1.1: PM-18
- SP 800-53 Rev 5.1.1: PM-28
- SP 800-53 Rev 5.1.1: PM-30
- SP 800-53 Rev 5.1.1: RA-03
- SP 800-53 Rev 5.2.0: PM-09
- SP 800-53 Rev 5.2.0: PM-18
- SP 800-53 Rev 5.2.0: PM-28
- SP 800-53 Rev 5.2.0: PM-30
- SP 800-53 Rev 5.2.0: RA-03
- SP-800-37 Rev 2: RMF Prepare Step (Organization & Mission/Business Levels): TASK P-2 Risk Management Strategy
Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).