The National Institute of Standards and Technology (NIST) has shared a preliminary discussion draft of the planned update 2.0 of their Cybersecurity Framework (CSF).
In their earlier Concept Paper, NIST explained:
The NIST Cybersecurity Framework (CSF or Framework) provides guidance to organizations to better understand, manage, reduce, and communicate cybersecurity risks. It is a foundational and essential resource used by all sectors around the world.
As it relates to risk management, they said:
CSF 2.0 will describe how an underlying risk management process is essential for identifying, analyzing, prioritizing, responding to, and monitoring risks, how CSF outcomes support risk response decisions (accept, mitigate, transfer, avoid), and various examples of risk management processes (e.g., Risk Management Framework, ISO 31000) that can be used to underpin CSF implementations.
I have extracted from the draft the sections on risk management strategy and risk assessment. I have highlighted the portions of the text I like.
Risk Management Strategy (GV.RM): The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established and used to support operational risk decisions.
- RM-01: Cybersecurity risk management objectives are established and agreed to by…
