Has your organization documented how its cybersecurity strategy addresses applicable legal, regulatory, and contractual requirements?
Explanation
Regulatory alignment is what's being verified here: whether you have documented how your cybersecurity strategy maps to applicable legal, regulatory, and contractual obligations such as GDPR, HIPAA, or PCI DSS. Without this alignment, organizations risk non-compliance penalties, contractual breaches, and security gaps in areas mandated by law or agreements.
Evidence could include a compliance matrix or document that maps specific cybersecurity controls to regulatory requirements, showing how each requirement is addressed by the organization's security program. This might be a spreadsheet or formal document that lists each applicable regulation/contract clause alongside the corresponding security control, policy, or procedure implemented to satisfy it.
Implementation Example
Align the organization's cybersecurity strategy with legal, regulatory, and contractual requirements
ID: GV.OC-03.006
Context
- Function
- GV: GOVERN
- Category
- GV.OC: Organizational Context
- Sub-Category
- Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed
Related questions
- Has the organization formally documented and shared its mission statement to provide a basis for identifying risks that may impede that mission?
- Has your organization identified and documented all internal stakeholders and their specific cybersecurity expectations?
- Has your organization formally identified and documented all external stakeholders and their cybersecurity expectations?
- Has your organization established a formal process to track and manage legal and regulatory requirements for protecting personal information?
- Has your organization implemented a formal process to track and manage cybersecurity requirements in contracts with suppliers, customers, and partners?
- Has your organization established and documented criteria for determining the criticality of capabilities and services from both internal and external stakeholder perspectives?

