NIST SP 800-39 serves as the overarching flagship for information security risk management, providing the high-level governance necessary to align cybersecurity efforts with an organization’s core mission and business objectives. It introduces a critical three-tiered approach—addressing risk at the Organization level (Tier 1), the Mission/Business Process level (Tier 2), and the Information System level (Tier 3)—to ensure that risk framing, assessment, response, and monitoring are integrated into every layer of leadership. By establishing a formal risk executive function and defining organizational risk appetite, SP 800-39 transforms security from a reactive technical task into a proactive, strategic business discipline.
Publication's URL
https://csrc.nist.gov/pubs/sp/800/39/finalAdditional documents on this topic
- NIST IR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM) ★★★★★
- NIST IR 8286A Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management ★★★★★
- NIST IR 8286C Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight
- NIST IR 8286D Using Business Impact Analysis to Inform Risk Prioritization and Response
- FAIR Taxonomy for Cyber Risk Scenarios ★★★★★