GV.RM-01 Risk Management Objectives - NIST CSF 2.0 Checklist

GV.RM-01 requires organizations to risk management objectives are established and expressed as statements of risk tolerance and appetite. This NIST CSF 2.0 control falls under the Govern (GV) function and the Risk Management Strategy category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: GV.RM-01
Title: Risk Management Objectives
Function: Govern (GV)
Category: Risk Management Strategy
Framework: NIST CSF 2.0

Risk management objectives are established and expressed as statements of risk tolerance and appetite.

Risk management objectives are established and expressed as statements of risk tolerance and appetite. These objectives guide how the organization prioritizes and allocates resources to address cybersecurity risks.

Why This Matters

Without defined risk tolerance, organizations either over-invest in low-priority controls or leave critical risks unaddressed. Clear objectives enable consistent risk-based decisions across all teams.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of GV.RM-01.

Define organizational risk appetite and tolerance levels
Document risk management objectives in a formal policy
Align risk objectives with business strategy and compliance requirements
Communicate risk tolerance thresholds to all decision-makers
Review risk management objectives at least annually

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with GV.RM-01 during an audit.

Risk appetite statement approved by executive leadership
Risk management policy with defined tolerance thresholds
Board or executive meeting minutes showing risk objective review
Risk register entries referencing tolerance levels

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with GV.RM-01.

Risk appetite exists informally but is never documented
Risk tolerance is set by IT alone without executive or board input
No periodic review of whether risk objectives still align with business changes

FAQ

What does GV.RM-01 require?

GV.RM-01 (Risk Management Objectives) requires that risk management objectives are established and expressed as statements of risk tolerance and appetite. These objectives guide how the organization prioritizes and allocates resources to address cybersecurity risks. This control is part of the NIST CSF 2.0 Govern function under the Risk Management Strategy category.

How do I prove compliance with GV.RM-01?

To demonstrate compliance with GV.RM-01, prepare the following evidence: Risk appetite statement approved by executive leadership; Risk management policy with defined tolerance thresholds; Board or executive meeting minutes showing risk objective review. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment