Risk management processes are established, managed, and agreed to by organizational stakeholders.
A cyber risk management process that identifies key internal and external stakeholders andfacilitates addressing risk-related issues and information shall be created, documented, reviewed, approved, and updated when changes occur.
Guidance
External stakeholders include customers, investors and shareholders, suppliers, government agencies and the wider community.