Prioritizing Cybersecurity Risk for Enterprise Risk Management


NIST has published NISTIR 8286B, Prioritizing Cybersecurity Risk for Enterprise Risk Management. This report builds on the risk strategy and risk identification activities described in NISTIR 8286A and illustrates the need to ensure that enterprise context, priorities, and strategies are considered when making decisions about how best to respond to cybersecurity risks. The report encourages collaboration among cybersecurity and Enterprise Risk Management (ERM) managers to help enterprises apply, improve, and monitor the quality of cooperation and communication.

NISTIR 8286B provides specifics about integrating cybersecurity risk management (CSRM) with ERM, as well as a detailed approach to the high-level processes described in NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM).

This report also describes methods for applying enterprise objectives to prioritize identified risks and to subsequently select and apply the appropriate responses. It explains how the cybersecurity risk register – possibly accompanied by a more comprehensive risk detail report – enables the tracking, reporting, and monitoring of various risks at all hierarchical levels.

This final version incorporates feedback received on the public draft and provides updated graphics, including an example Risk Detail Report (RDR) template for communicating extensive details about each risk (e.g., risk ownership and planned activities).

Additionally, a draft companion document – NISTIR 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight – describes activities to help complete the CSRM/ERM integration cycle throughout the enterprise and is currently available for public comment. Submit your public comments by March 11, 2022.