Does your organization regularly collect and report cybersecurity risk metrics to senior leadership?
Explanation
Risk reporting to the top is the subject here, namely whether you regularly collect cybersecurity risk metrics and report them to senior leadership. Effective risk metrics might include number of security incidents, vulnerability remediation rates, security control effectiveness scores, compliance status, or risk exposure trends over time.
Evidence could include dashboard reports, executive briefing documents, board meeting minutes that include cybersecurity discussions, or formal risk reporting templates that show regular communication of security metrics to leadership.
Implementation Example
Collect and communicate metrics on cybersecurity risk management with senior leadership
ID: GV.OV-03.065
Context
- Function
- GV: GOVERN
- Category
- GV.OV: Oversight
- Sub-Category
- Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed
Related questions
- Has your organization established metrics to evaluate the effectiveness of risk management decisions in achieving business objectives?
- Does your organization regularly review and adjust cybersecurity risk strategies that may be impeding business operations or innovation?
- Has your organization reviewed recent audit findings to verify that your cybersecurity strategy effectively ensures compliance with both internal policies and external regulatory requirements?
- Does your organization regularly evaluate the performance of cybersecurity roles to identify necessary policy improvements?
- Does your organization have a formal process to review and update its cybersecurity strategy following security incidents?
- Does your organization regularly review key performance indicators (KPIs) to verify that security policies and procedures are achieving their intended objectives?

