Framework Category

Organizational Context

Organizational Context ensures that cybersecurity risk management aligns with the organization’s mission, legal and regulatory obligations, and stakeholder expectations.

It involves understanding both what the organization provides to others and what it depends on to function effectively.

Implementation Questions

GV.OC-01

The organizational mission is understood and informs cybersecurity risk management

Has the organization formally documented and shared its mission statement to provide a basis for identifying risks that may impede that mission?

A clearly articulated mission statement helps stakeholders understand the organization's purpose and priorities, which is essential for identifying relevant security risks that could impact core business objectives. When mission statements are properly communicated throughout the organization, security teams can better align their risk assessments with business goals, ensuring that security controls protect what matters most to the organization.

GV.OC-02

Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

Has your organization identified and documented all internal stakeholders and their specific cybersecurity expectations?

This question assesses whether your organization has formally identified key internal stakeholders (such as executives, board members, department heads, and employees) and documented their specific cybersecurity expectations, requirements, and risk tolerances. For example, the CFO may have specific expectations regarding financial data protection, while the CTO may focus on system availability metrics.

Has your organization formally identified and documented all external stakeholders and their cybersecurity expectations?

This question assesses whether your organization has a comprehensive understanding of external parties who have security expectations of your systems and data. External stakeholders typically include customers, business partners, regulatory bodies, and the broader society, each with different cybersecurity expectations such as data privacy, contractual security requirements, compliance obligations, or ethical data handling practices.

GV.OC-03

Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed

Has your organization established a formal process to track and manage legal and regulatory requirements for protecting personal information?

This question assesses whether your organization has a systematic approach to identifying, monitoring, and complying with privacy laws and regulations that apply to your business operations and data processing activities. Examples include HIPAA for healthcare data, GDPR for EU residents' data, CCPA for California consumers, and industry-specific requirements that govern how personal information must be protected.

Has your organization implemented a formal process to track and manage cybersecurity requirements in contracts with suppliers, customers, and partners?

This question assesses whether your organization has established a systematic approach to identify, document, and monitor cybersecurity obligations specified in contracts with external parties. Such a process ensures that security requirements are clearly defined, communicated, and maintained throughout the relationship lifecycle with third parties who may access, process, or store your sensitive information.

Has your organization documented how its cybersecurity strategy addresses applicable legal, regulatory, and contractual requirements?

This question assesses whether your organization has formally mapped its cybersecurity controls and practices to the specific legal and regulatory frameworks it must comply with (such as GDPR, HIPAA, PCI DSS, etc.) and any contractual obligations to customers or partners. Without this alignment, organizations risk non-compliance penalties, contractual breaches, and security gaps in areas mandated by law or agreements.

GV.OC-04

Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated

Has your organization established and documented criteria for determining the criticality of capabilities and services from both internal and external stakeholder perspectives?

This question assesses whether your organization has a formal methodology to identify which capabilities and services are most critical to business operations and stakeholders. Having clear criticality criteria helps prioritize security controls, resource allocation, and recovery efforts during incidents based on business impact rather than subjective assessments.

Has your organization conducted a business impact analysis to identify critical assets and operations and assess the potential impact of their loss?

A business impact analysis (BIA) helps organizations identify which assets and operations are essential to their mission and understand the consequences if these were compromised or unavailable. This analysis forms the foundation for prioritizing security controls, resource allocation, and recovery strategies based on business criticality rather than technical considerations alone.

Has your organization established and communicated resilience objectives (such as recovery time objectives) for critical capabilities and services across different operating states?

Resilience objectives define how quickly critical systems and services should be restored after disruption. These objectives should cover various operating states including normal operations, under attack scenarios, and recovery phases. For example, a resilience objective might specify that customer-facing payment systems must be restored within 4 hours of disruption, while internal email systems can tolerate a 24-hour recovery window.

GV.OC-05

Outcomes, capabilities, and services that the organization depends on are understood and communicated

Has your organization established and maintained a comprehensive inventory of all external dependencies and their relationships to critical assets and business functions?

This inventory should document all third-party services, utilities, cloud providers, and other external resources your organization relies on to operate. It should map how these dependencies connect to your critical assets (like data, systems, and infrastructure) and business functions (like operations, finance, or customer service).

Has your organization identified, documented, and communicated external dependencies that could serve as potential points of failure for critical capabilities and services?

External dependencies such as third-party vendors, cloud service providers, utility services, or supply chain partners can create vulnerabilities that impact critical business operations. Identifying these dependencies helps organizations understand their complete risk landscape and develop appropriate contingency plans.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron