Govern

Organizational Context ensures that cybersecurity risk management aligns with the organization’s mission, legal and regulatory obligations, and stakeholder expectations.

It involves understanding both what the organization provides to others and what it depends on to function effectively.

Risk Management Strategy defines how an organization identifies, evaluates, and responds to cybersecurity risks.

It includes setting clear objectives, articulating risk appetite and tolerance, integrating with broader enterprise risk processes, and establishing consistent communication and prioritization methods—covering both threats and opportunities.

Roles, Responsibilities, and Authorities ensures that cybersecurity is driven by accountable leadership, supported by clearly defined and communicated roles.

It promotes a risk-aware culture, aligns resource allocation with cybersecurity priorities, and integrates cybersecurity into HR practices.

Policy establishes and maintains enforceable rules for managing cybersecurity risks, aligned with the organization’s context, strategy, and priorities.

Policies are regularly reviewed and updated to stay effective amid evolving threats, technologies, and business needs.

Oversight ensures continuous evaluation and refinement of the cybersecurity strategy by reviewing outcomes, assessing performance, and making adjustments to address evolving organizational needs and risks.

Cybersecurity Supply Chain Risk Management addresses risks posed by third-party relationships through defined policies, roles, and procedures.

It involves assessing and managing supplier risks across the full lifecycle—from onboarding to offboarding—ensuring integration with broader cybersecurity and enterprise risk strategies, and including suppliers in incident response and recovery planning.