Tom was wondering why his head of human resources, Grace, was sitting alongside his chief strategy officer George. Tom asked, “So what do our people have to do with principles guiding our cyber strategy, risks, and actions?” Grace replied, “Lots. Our people enact the principles—principles that provide the foundation for desirable and positive behavior.”

Cyber Risk Management Principles Guide Actions

Principles provide the foundation for people’s desirable and positive behavior in carrying out their respective responsibilities within an organization. Principles aid in determining whether decisions and the resulting actions are helpful or harmful.

Principles from the ISO 31000:2009 international risk management standard can support an organization that chooses to implement COBIT 5 GEIT² and its five principles:

1. Meeting stakeholder needs.
2. Covering the enterprise end-to-end.
3. Applying a single, integrated framework.
4. Enabling a holistic approach.
5. Separating governance from management.

In this chapter, principles from the ISO 31000:2009, Risk management—Principles and guidelines³ are described to guide desirable and positive actions that are in line with the organization’s enterprise-wide approach to governance and management of enterprise information technology (IT). The two sets of principles are organized in Table 3.1. At times, ...