These include understanding and prioritizing the business environment the organization operates in; managing personnel, devices, systems, data, and other assets; assessing the overall cybersecurity risk to the organization; and developing governance policies, procedures, and processes to inform, understand, and manage that risk.