GV.OC-02.003
Has your organization formally identified and documented all external stakeholders and their cybersecurity expectations?
Explanation
This question assesses whether your organization has a comprehensive understanding of external parties who have security expectations of your systems and data. External stakeholders typically include customers, business partners, regulatory bodies, and the broader society, each with different cybersecurity expectations such as data privacy, contractual security requirements, compliance obligations, or ethical data handling practices. Evidence of fulfillment could include a stakeholder register or matrix that lists all external stakeholders, their relationship to the organization, their specific cybersecurity expectations, and how these expectations are being addressed. This document should be regularly reviewed and updated as stakeholder relationships and regulatory requirements evolve.
Implementation Example
Identify relevant external stakeholders and their cybersecurity-related expectations (e.g., privacy expectations of customers, business expectations of partnerships, compliance expectations of regulators, ethics expectations of society)
ID: GV.OC-02.003
Context
- Function
- GV: GOVERN
- Category
- GV.OC: Organizational Context
- Sub-Category
- Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
