Framework Category
Organizational Context
Organizational Context ensures that cybersecurity risk management aligns with the organization’s mission, legal and regulatory obligations, and stakeholder expectations.
It involves understanding both what the organization provides to others and what it depends on to function effectively.
Implementation Questions
GV.OC-01
The organizational mission is understood and informs cybersecurity risk management
GV.OC-02
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
Has your organization identified and documented all internal stakeholders and their specific cybersecurity expectations?
Internal stakeholder mapping is what's being assessed: whether you have identified and documented your executives, board, and staff along with their cybersecurity expectations and risk tolerances. For example, the CFO may have specific expectations regarding financial data protection, while the CTO may focus on system availability metrics.
Has your organization formally identified and documented all external stakeholders and their cybersecurity expectations?
Stakeholder awareness is being measured here: whether you have formally identified and documented the external parties who hold cybersecurity expectations of your systems and data.
GV.OC-03
Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed
Has your organization established a formal process to track and manage legal and regulatory requirements for protecting personal information?
Tracking legal obligations for personal data is the focus here: reviewers want a formal process to identify, monitor, and comply with the privacy laws and regulations that apply to your operations. Examples include HIPAA for healthcare data, GDPR for EU residents' data, CCPA for California consumers, and industry-specific requirements that govern how personal information must be protected.
Has your organization implemented a formal process to track and manage cybersecurity requirements in contracts with suppliers, customers, and partners?
Contractual security obligations are the focus here: reviewers want a formal process to track and manage the cybersecurity requirements written into agreements with suppliers, customers, and partners. Such a process ensures that security requirements are clearly defined, communicated, and maintained throughout the relationship lifecycle with third parties who may access, process, or store your sensitive information.
Has your organization documented how its cybersecurity strategy addresses applicable legal, regulatory, and contractual requirements?
Regulatory alignment is what's being verified here: whether you have documented how your cybersecurity strategy maps to applicable legal, regulatory, and contractual obligations such as GDPR, HIPAA, or PCI DSS. Without this alignment, organizations risk non-compliance penalties, contractual breaches, and security gaps in areas mandated by law or agreements.
GV.OC-04
Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated
Has your organization established and documented criteria for determining the criticality of capabilities and services from both internal and external stakeholder perspectives?
Criticality assessment is what's being examined here, namely whether you have documented criteria for judging how critical your capabilities and services are from both internal and external stakeholder viewpoints. Having clear criticality criteria helps prioritize security controls, resource allocation, and recovery efforts during incidents based on business impact rather than subjective assessments.
Has your organization conducted a business impact analysis to identify critical assets and operations and assess the potential impact of their loss?
A business impact analysis (BIA) helps organizations identify which assets and operations are essential to their mission and understand the consequences if these were compromised or unavailable. This analysis forms the foundation for prioritizing security controls, resource allocation, and recovery strategies based on business criticality rather than technical considerations alone.
Has your organization established and communicated resilience objectives (such as recovery time objectives) for critical capabilities and services across different operating states?
Resilience objectives define how quickly critical systems and services should be restored after disruption. These objectives should cover various operating states including normal operations, under attack scenarios, and recovery phases. For example, a resilience objective might specify that customer-facing payment systems must be restored within 4 hours of disruption, while internal email systems can tolerate a 24-hour recovery window.
GV.OC-05
Outcomes, capabilities, and services that the organization depends on are understood and communicated
Has your organization established and maintained a comprehensive inventory of all external dependencies and their relationships to critical assets and business functions?
This inventory should document all third-party services, utilities, cloud providers, and other external resources your organization relies on to operate. It should map how these dependencies connect to your critical assets (like data, systems, and infrastructure) and business functions (like operations, finance, or customer service).
Has your organization identified, documented, and communicated external dependencies that could serve as potential points of failure for critical capabilities and services?
External dependencies such as third-party vendors, cloud service providers, utility services, or supply chain partners can create vulnerabilities that impact critical business operations. Identifying these dependencies helps organizations understand their complete risk landscape and develop appropriate contingency plans.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

