Before even discussing cyber risks to the organization, you need to have identified the systems supporting the mission, vision, and services your organization provides (a.k.a. revenue streams).
This step will allow you to establish "value," so when you discuss cyber risks, you'll confidently be able to discern which risks you'll be able to accept, mitigate, or transfer.
The ISO 27001, specifically clause 4.1, starts with you identifying the organization's objectives; NIST Cybersecurity Framework (NIST CSF) starts with ID.AM-1 & ID.AM-2 starts with identifying and inventorying physical devices and software platforms.
Skipping this critical step will only drive your cybersecurity strategy from an operational to a tactical realm, making it difficult to connect your approach (investment and strategy) to what is important to the organization.
Author: Dr. Bill Souza | Jun 11, 2022