GV.OV-02.062

Does your organization have a formal process to review and update its cybersecurity strategy following security incidents?

Explanation

This question assesses whether the organization learns from security incidents by systematically reviewing and adapting its cybersecurity strategy. Organizations should analyze what happened during incidents, why existing controls failed, and how the strategy needs to evolve to prevent similar incidents in the future. This process helps identify gaps in security controls, training needs, or resource allocation issues that contributed to the incident. Evidence could include documented post-incident review procedures, meeting minutes from strategy review sessions following incidents, updated strategy documents with tracked changes showing modifications made in response to specific incidents, or formal reports outlining lessons learned and strategic adjustments implemented after security events.

Implementation Example

Review strategy in light of cybersecurity incidents

ID: GV.OV-02.062

Context

Function: GV: GOVERN
Category: GV.OV: Oversight
Sub-Category: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub