Has your organization formally identified and documented areas of alignment and overlap between cybersecurity and enterprise risk management frameworks?
Explanation
Framework alignment is the concern here, namely whether you have formally identified and documented where cybersecurity and enterprise risk management overlap and connect. Identifying these alignments helps ensure cybersecurity risks are properly considered within the organization's overall risk appetite and management approach, rather than being treated in isolation.
Evidence could include a mapping document or matrix that shows how cybersecurity risk categories correspond to enterprise risk categories, shared risk assessment methodologies, or documentation showing how cybersecurity metrics and KPIs feed into enterprise risk reporting structures.
Implementation Example
Identify areas of alignment and overlap with cybersecurity and enterprise risk management
ID: GV.SC-03.078
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

