GV.OC-04.007

Has your organization established and documented criteria for determining the criticality of capabilities and services from both internal and external stakeholder perspectives?

Explanation

This question assesses whether your organization has a formal methodology to identify which capabilities and services are most critical to business operations and stakeholders. Having clear criticality criteria helps prioritize security controls, resource allocation, and recovery efforts during incidents based on business impact rather than subjective assessments. An acceptable deliverable would be a documented criticality assessment framework that includes criteria such as revenue impact, regulatory requirements, customer SLAs, operational dependencies, and reputational risk. This could take the form of a criticality matrix, service catalog with criticality ratings, or business impact analysis documentation that explicitly defines how criticality is determined across the organization.

Implementation Example

Establish criteria for determining the criticality of capabilities and services as viewed by internal and external stakeholders

ID: GV.OC-04.007

Context

Function
GV: GOVERN
Category
GV.OC: Organizational Context
Sub-Category
Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron