Has your organization established documented performance goals for personnel with cybersecurity risk management responsibilities, and do you periodically measure performance against these goals?
Explanation
Performance management for security staff is under review, covering whether you set documented performance goals for cybersecurity personnel and periodically measure them against those goals. Performance goals should be specific, measurable, and aligned with your organization's overall security objectives, such as reducing incident response time, improving vulnerability remediation rates, or enhancing security awareness training effectiveness.
Evidence could include documented performance metrics for security team members, periodic performance review templates that include cybersecurity KPIs, dashboards showing security performance trends over time, or improvement plans based on performance measurement results.
Implementation Example
Document performance goals for personnel with cybersecurity risk management-specific responsibilities, and periodically measure them to demonstrate and improve performance
ID: GV.SC-02.074
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

