Updates to NIST IR 8286
Are you looking for ways to better integrate cybersecurity into enterprise risk management?
NIST has been hard at work updating its IR 8286 Series, providing valuable guidance on aligning cybersecurity with broader business risk considerations.
The IR 8286 Series is designed to help organizations effectively incorporate cybersecurity risks into their Enterprise Risk Management (ERM) strategies.
If you’re involved in risk management, governance, or cybersecurity strategy, these resources are must-reads.
NIST IR 8286 Publications
The NIST IR 8286 series consists of five publications. The root publication is supported by four publications, lettered A, B, C and D.
NIST IR 8286 – Integrating Cybersecurity and Enterprise Risk Management
The base report, describing how to integrate Cybersecurity Risk Management with Enterprise Risk Management.
✍️ Open for public comment through April 14, 2025 - Read more
NIST IR 8286A – Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management
R 8286A provides additional detail regarding risk context, scenario identification, and analysis of likelihood and impact. It also includes methods to convey risk information, such as through cybersecurity risk registers (CSRRs) and risk detail records (RDRs). Similar processes, and the general use of risk registers, are helpful to identify and manage other types of risk, including those for Cyber Supply Chain and Privacy
✍️ Open for public comment through April 14, 2025 - Read more
NIST IR 8286B-upd1 – Prioritizing Cybersecurity Risk for Enterprise Risk Management
This report describes ways to apply risk analysis to prioritize cybersecurity risk, evaluate and select appropriate risk response, and communicate risk activities as part of an enterprise CSRM strategy.
✅ New version available - Read more
NIST IR 8286C-upd1 – Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight
This report describes processes for aggregating information from CSRM activities throughout the enterprise. As that information is integrated and harmonized, organizational and enterprise leaders monitor achievement of risk objectives, consider any changes to risk strategy, and use the combined information to maintain awareness of risk factors and positive risks (or opportunities).
✍️ Open for public comment through April 14, 2025 - Read more
NIST IR 8286D-upd1 – Using Business Impact Analysis to Inform Risk Prioritization and Response
This report describes specific considerations for the documentation and analysis of business impacts that result in a full or partial loss of the confidentiality, integrity, or availability of a mission-essential resource.
✅ New version available - Read more
As someone deeply engaged in governance, risk, and compliance, I’m excited to see these updates take shape and provide organizations with stronger frameworks for managing cyber risk. I had the opportunity to review and provide insights as these were being developed, and I highly recommend diving into these publications.
Meet Kertos!
Meet Kertos, the European alternative to Drata and Vanta!
Almost one year ago, I quit my job and started my own business. Kertos became my first client.
I am extremely proud of what we built so far. Kertos automates your compliance standards, such as ISO 27001, GDPR, SOC 2, or the EU AI Act – from the initial analysis to the audit and as a sustainable solution far beyond.
