Has the organization formally documented and shared its mission statement to provide a basis for identifying risks that may impede that mission?
Explanation
A clearly articulated mission statement helps stakeholders understand the organization's purpose and priorities, which is essential for identifying relevant security risks that could impact core business objectives. When mission statements are properly communicated throughout the organization, security teams can better align their risk assessments with business goals, ensuring that security controls protect what matters most to the organization.
Evidence could include: published mission/vision statements on company websites or internal portals, risk assessment documentation that references the mission statement when prioritizing risks, or internal communications that connect security initiatives to the organization's mission.
Implementation Example
Share the organization's mission (e.g., through vision and mission statements, marketing, and service strategies) to provide a basis for identifying risks that may impede that mission
ID: GV.OC-01.001
Context
- Function
- GV: GOVERN
- Category
- GV.OC: Organizational Context
- Sub-Category
- The organizational mission is understood and informs cybersecurity risk management
Related questions
- Has your organization identified and documented all internal stakeholders and their specific cybersecurity expectations?
- Has your organization formally identified and documented all external stakeholders and their cybersecurity expectations?
- Has your organization established a formal process to track and manage legal and regulatory requirements for protecting personal information?
- Has your organization implemented a formal process to track and manage cybersecurity requirements in contracts with suppliers, customers, and partners?
- Has your organization documented how its cybersecurity strategy addresses applicable legal, regulatory, and contractual requirements?
- Has your organization established and documented criteria for determining the criticality of capabilities and services from both internal and external stakeholder perspectives?

