Controls Editor
Manage the NIST CSF 2.0 controls used in the assessment.
Controls Editor
Manage all NIST CSF 2.0 controls.
| Subcategory ID | Function | Category | Description | Actions |
|---|---|---|---|---|
| GV.OC-01 | GOVERN | Organizational Context (GV.OC) | The organizational mission is understood and informs cybersecurity risk management | |
| GV.RM-06 | GOVERN | Risk Management Strategy (GV.RM) | A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated | |
| GV.RM-02 | GOVERN | Risk Management Strategy (GV.RM) | Risk appetite and risk tolerance statements are established, communicated, and maintained | |
| GV.OC-03 | GOVERN | Organizational Context (GV.OC) | Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed | |
| GV.RM-04 | GOVERN | Risk Management Strategy (GV.RM) | Strategic direction that describes appropriate risk response options is established and communicated | |
| GV.OC-04 | GOVERN | Organizational Context (GV.OC) | Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated | |
| GV.OC-03 | GOVERN | Organizational Context (GV.OC) | Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed | |
| GV.RM-07 | GOVERN | Risk Management Strategy (GV.RM) | Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions | |
| GV.OC-04 | GOVERN | Organizational Context (GV.OC) | Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated | |
| GV.OC-01 | GOVERN | Organizational Context (GV.OC) | The organizational mission is understood and informs cybersecurity risk management | |
| GV.RM-07 | GOVERN | Risk Management Strategy (GV.RM) | Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions | |
| GV.OC-05 | GOVERN | Organizational Context (GV.OC) | Dependencies and critical third-party suppliers that the organization relies on to achieve its mission are identified, and their risks are understood | |
| GV.RM-01 | GOVERN | Risk Management Strategy (GV.RM) | Risk management objectives are established and agreed to by organizational stakeholders | |
| GV.RM-04 | GOVERN | Risk Management Strategy (GV.RM) | Strategic direction that describes appropriate risk response options is established and communicated | |
| GV.RM-03 | GOVERN | Risk Management Strategy (GV.RM) | Cybersecurity risk management activities and outcomes are included in enterprise risk management processes | |
| GV.RM-06 | GOVERN | Risk Management Strategy (GV.RM) | A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated | |
| GV.OC-05 | GOVERN | Organizational Context (GV.OC) | Dependencies and critical third-party suppliers that the organization relies on to achieve its mission are identified, and their risks are understood | |
| GV.RM-02 | GOVERN | Risk Management Strategy (GV.RM) | Risk appetite and risk tolerance statements are established, communicated, and maintained | |
| GV.OC-02 | GOVERN | Organizational Context (GV.OC) | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | |
| GV.RM-05 | GOVERN | Risk Management Strategy (GV.RM) | Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties | |
| GV.RM-01 | GOVERN | Risk Management Strategy (GV.RM) | Risk management objectives are established and agreed to by organizational stakeholders | |
| GV.OC-02 | GOVERN | Organizational Context (GV.OC) | Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | |
| GV.RM-03 | GOVERN | Risk Management Strategy (GV.RM) | Cybersecurity risk management activities and outcomes are included in enterprise risk management processes | |
| GV.RM-05 | GOVERN | Risk Management Strategy (GV.RM) | Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties |