Has your organization established and documented criteria for determining the criticality of capabilities and services from both internal and external stakeholder perspectives?
Explanation
Criticality assessment is what's being examined here, namely whether you have documented criteria for judging how critical your capabilities and services are from both internal and external stakeholder viewpoints. Having clear criticality criteria helps prioritize security controls, resource allocation, and recovery efforts during incidents based on business impact rather than subjective assessments.
An acceptable deliverable would be a documented criticality assessment framework that includes criteria such as revenue impact, regulatory requirements, customer SLAs, operational dependencies, and reputational risk. This could take the form of a criticality matrix, service catalog with criticality ratings, or business impact analysis documentation that explicitly defines how criticality is determined across the organization.
Implementation Example
Establish criteria for determining the criticality of capabilities and services as viewed by internal and external stakeholders
ID: GV.OC-04.007
Context
- Function
- GV: GOVERN
- Category
- GV.OC: Organizational Context
- Sub-Category
- Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated
Related questions
- Has the organization formally documented and shared its mission statement to provide a basis for identifying risks that may impede that mission?
- Has your organization identified and documented all internal stakeholders and their specific cybersecurity expectations?
- Has your organization formally identified and documented all external stakeholders and their cybersecurity expectations?
- Has your organization established a formal process to track and manage legal and regulatory requirements for protecting personal information?
- Has your organization implemented a formal process to track and manage cybersecurity requirements in contracts with suppliers, customers, and partners?
- Has your organization documented how its cybersecurity strategy addresses applicable legal, regulatory, and contractual requirements?

