💼 GV.RM-02: Risk appetite and risk tolerance statements are established, communicated, and maintained

• ID: /frameworks/nist-csf-v2.0/gv-rm/02

Description

1. Determine and communicate risk appetite statements that convey expectations about the appropriate level of risk for the organization
2. Translate risk appetite statements into specific, measurable, and broadly understandable risk tolerance statements
3. Refine organizational objectives and risk appetite periodically based on known risk exposure and residual risk

Similar

• Sections
  • /frameworks/nist-csf-v1.1/id-rm/02
  • /frameworks/nist-csf-v1.1/id-rm/03
  • /frameworks/nist-sp-800-53-r5/pm/09

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 NIST CSF v1.1 → 💼 ID.RM-2: Organizational risk tolerance is determined and clearly expressed					no data
💼 NIST CSF v1.1 → 💼 ID.RM-3: The organization's determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis					no data
💼 NIST SP 800-53 Revision 5 → 💼 PM-9 Risk Management Strategy					no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance