Has your organization formally documented and communicated its cybersecurity risk management policy, processes, and procedures to all relevant stakeholders?
Explanation
Documented and well-circulated guidance is the concern: the question asks whether your cybersecurity risk management policy, processes, and procedures are formally recorded and shared with relevant stakeholders. Proper communication ensures all employees understand their roles in managing cybersecurity risks, the procedures to follow, and how risk decisions are made within the organization.
Evidence could include: distribution logs of policy documents, intranet screenshots showing where policies are published, training records covering risk management procedures, signed acknowledgments from employees, or meeting minutes where policies were presented and discussed.
Implementation Example
Communicate cybersecurity risk management policy and supporting processes and procedures across the organization
ID: GV.PO-01.052
Context
- Function
- GV: GOVERN
- Category
- GV.PO: Policy
- Sub-Category
- Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
Related questions
- Has your organization established and communicated a formal risk management policy that clearly articulates management's intent, expectations, and direction?
- Does your organization have a process to regularly review and update cybersecurity policies and procedures to ensure alignment with your risk management strategy and overall cybersecurity objectives?
- Does your organization require formal approval from senior management for all security policies?
- Does your organization require personnel to formally acknowledge receipt and understanding of security policies at onboarding, annually, and after policy updates?
- Does your organization regularly update cybersecurity policies based on risk management review results to maintain acceptable risk levels?
- Does your organization have a documented timeline for reviewing and updating security policies in response to changes in the risk environment or mission objectives?

