Risk Management
Identify, assess, and manage cybersecurity risks.
9 of 9 frameworks cover this control
Framework Mappings
How Risk Management maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | GV.RM-01 GV.RM-02 |
| ISO 27001 | Covered | A.5.3 A.8.2 |
| CIS v8 | Covered | CIS 1.2 |
| SOC 2 | Covered | CC3.1 CC3.2 CC3.3 |
| PCI DSS | Covered | 12.3.1 12.3.2 |
| CMMC | Covered | RM.L2-3.11.1 RM.L2-3.11.2 |
| 800-53 | Covered | RA-1 PM-9 PM-28 |
| HIPAA | Covered | §164.308(a)(1)(ii)(A) §164.308(a)(1)(ii)(B) |
| GDPR | Covered | Art.24(1) Art.32(1) |
About Risk Management
Risk Management is a cybersecurity control in the Govern domain. Identify, assess, and manage cybersecurity risks. A structured risk management program enables organizations to prioritize security investments by systematically identifying threats, evaluating their likelihood and impact, and applying appropriate mitigations. Common approaches include maintaining a risk register, conducting periodic risk assessments using frameworks like NIST RMF or ISO 27005, and establishing risk acceptance criteria approved by senior leadership. Effective risk management requires ongoing monitoring because the threat landscape, business operations, and technology environments continuously evolve.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.