Organizational risk tolerance is determined and clearly expressed.
The organization shall clearly determine its risk appetite.
Guidance
Determination and expression of risk tolerance (risk appetite) should be in line with the policies on information security and cybersecurity, to facilitate demonstration of coherence between policies, risk tolerance and measures.