Has your organization formally identified and documented all external stakeholders and their cybersecurity expectations?
Explanation
Stakeholder awareness is being measured here: whether you have formally identified and documented the external parties who hold cybersecurity expectations of your systems and data.
External stakeholders typically include customers, business partners, regulatory bodies, and the broader society, each with different cybersecurity expectations such as data privacy, contractual security requirements, compliance obligations, or ethical data handling practices.
Evidence of fulfillment could include a stakeholder register or matrix that lists all external stakeholders, their relationship to the organization, their specific cybersecurity expectations, and how these expectations are being addressed. This document should be regularly reviewed and updated as stakeholder relationships and regulatory requirements evolve.
Implementation Example
Identify relevant external stakeholders and their cybersecurity-related expectations (e.g., privacy expectations of customers, business expectations of partnerships, compliance expectations of regulators, ethics expectations of society)
ID: GV.OC-02.003
Context
- Function
- GV: GOVERN
- Category
- GV.OC: Organizational Context
- Sub-Category
- Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
Related questions
- Has the organization formally documented and shared its mission statement to provide a basis for identifying risks that may impede that mission?
- Has your organization identified and documented all internal stakeholders and their specific cybersecurity expectations?
- Has your organization established a formal process to track and manage legal and regulatory requirements for protecting personal information?
- Has your organization implemented a formal process to track and manage cybersecurity requirements in contracts with suppliers, customers, and partners?
- Has your organization documented how its cybersecurity strategy addresses applicable legal, regulatory, and contractual requirements?
- Has your organization established and documented criteria for determining the criticality of capabilities and services from both internal and external stakeholder perspectives?

