NIST CSF: ID.GV-4 Subcategory

From NIST's Cyber Security Framework (version 1):

Governance and risk management processes address cybersecurity risks

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

CSF Mapped to SP800-53 Controls

Generated from NIST's SP800-53/CSF Crosswalk mappings.

Node
SA-2: Allocation of Resources
PM-3: Information Security and Privacy Resources
PM-10: Authorization Process
PM-7: Enterprise Architecture
PM-9: Risk Management Strategy
PM-11: Mission and Business Process Definition

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.

  • Conduct a detailed risk assessment (4.2.3.9)
    ISA/IEC 62443-2-1:2009
  • Provide training for support personnel (4.3.2.4.3)
    ISA/IEC 62443-2-1:2009
  • Integrate physical, HSE and cyber security risk assessments (4.2.3.11)
    ISA/IEC 62443-2-1:2009
  • Conduct a high-level risk assessment (4.2.3.3)
    ISA/IEC 62443-2-1:2009
  • Select a risk assessment methodology (4.2.3.1)
    ISA/IEC 62443-2-1:2009
  • Maintain consistency between risk management systems (4.3.2.6.3)
    ISA/IEC 62443-2-1:2009
  • Identify a detailed risk assessment methodology (4.2.3.8)
    ISA/IEC 62443-2-1:2009

CSF Mapped to the NCSC CAF

Cyber Assessment Framework mappings generated from UK Cabinet Office data.

Control ID Name Description
A2.a Risk Management Process Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
A1.c Decision-making You have senior-level accountability for the security of networks and information systems, and delegate decision-making authority appropriately and effectively. Risks to network and information systems related to the operation of essential functions are considered in the context of other organisational risks.
A2.b Assurance You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to essential functions.
A1.b Roles and Responsibilities Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks.
A1.a Board Direction You have effective organisational security management led at board level and articulated clearly in corresponding policies.