GV.RM-02 Risk Appetite Statements - NIST CSF 2.0 Checklist

GV.RM-02 requires organizations to risk appetite and risk tolerance statements are determined, communicated and used to guide operational cybersecurity decisions. This NIST CSF 2.0 control falls under the Govern (GV) function and the Risk Management Strategy category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: GV.RM-02
Title: Risk Appetite Statements
Function: Govern (GV)
Category: Risk Management Strategy
Framework: NIST CSF 2.0

Risk appetite and risk tolerance statements are determined, communicated and used to guide operational cybersecurity decisions.

Risk appetite and risk tolerance statements are determined, communicated and used to guide operational cybersecurity decisions. These statements set boundaries for acceptable risk levels across the organization.

Why This Matters

Ambiguous risk appetite leads to inconsistent decisions about which vulnerabilities to remediate and which controls to implement. Teams need clear guardrails to make autonomous risk decisions.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of GV.RM-02.

Create risk appetite statements for each business-critical function
Define quantitative or qualitative risk tolerance thresholds
Integrate risk appetite into procurement and vendor management decisions
Ensure risk appetite statements are accessible to operational teams
Update risk appetite after significant incidents or business changes

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with GV.RM-02 during an audit.

Published risk appetite statements per business unit
Vendor risk assessment templates referencing organizational risk appetite
Decision logs showing risk appetite was consulted during risk acceptance
Change records showing updates to risk appetite after incidents

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with GV.RM-02.

Risk appetite statements are generic and not actionable for day-to-day decisions
Vendor and procurement teams operate without reference to risk tolerance
Risk appetite is documented once and never revisited

FAQ

What does GV.RM-02 require?

GV.RM-02 (Risk Appetite Statements) requires that risk appetite and risk tolerance statements are determined, communicated and used to guide operational cybersecurity decisions. These statements set boundaries for acceptable risk levels across the organization. This control is part of the NIST CSF 2.0 Govern function under the Risk Management Strategy category.

How do I prove compliance with GV.RM-02?

To demonstrate compliance with GV.RM-02, prepare the following evidence: Published risk appetite statements per business unit; Vendor risk assessment templates referencing organizational risk appetite; Decision logs showing risk appetite was consulted during risk acceptance. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment