Has your organization identified and documented all internal stakeholders and their specific cybersecurity expectations?
Explanation
Internal stakeholder mapping is what's being assessed: whether you have identified and documented your executives, board, and staff along with their cybersecurity expectations and risk tolerances. For example, the CFO may have specific expectations regarding financial data protection, while the CTO may focus on system availability metrics.
Evidence could include a stakeholder register or matrix that lists all internal stakeholders, their roles, their specific cybersecurity expectations, and how these expectations align with the organization's overall security strategy. This document should be regularly reviewed and updated as organizational priorities shift.
Implementation Example
Identify relevant internal stakeholders and their cybersecurity-related expectations (e.g., performance and risk expectations of officers, directors, and advisors; cultural expectations of employees)
ID: GV.OC-02.002
Context
- Function
- GV: GOVERN
- Category
- GV.OC: Organizational Context
- Sub-Category
- Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
Related questions
- Has the organization formally documented and shared its mission statement to provide a basis for identifying risks that may impede that mission?
- Has your organization formally identified and documented all external stakeholders and their cybersecurity expectations?
- Has your organization established a formal process to track and manage legal and regulatory requirements for protecting personal information?
- Has your organization implemented a formal process to track and manage cybersecurity requirements in contracts with suppliers, customers, and partners?
- Has your organization documented how its cybersecurity strategy addresses applicable legal, regulatory, and contractual requirements?
- Has your organization established and documented criteria for determining the criticality of capabilities and services from both internal and external stakeholder perspectives?

