Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
Explanation
Leadership alignment on security is the focus: whether senior leaders have set and agreed measurable cybersecurity objectives that steer risk decisions and gauge performance. When senior leaders agree on cybersecurity objectives, it ensures consistent prioritization, resource allocation, and accountability throughout the organization. These objectives should be specific enough to measure progress and effectiveness of the security program.
Evidence could include board meeting minutes discussing cybersecurity objectives, a formal document outlining agreed-upon security metrics and KPIs, executive dashboards showing security performance against objectives, or risk management frameworks that incorporate these objectives into decision-making processes.
Implementation Example
Senior leaders agree about cybersecurity objectives and use them for measuring and managing risk and performance
ID: GV.RM-01.014
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Risk management objectives are established and agreed to by organizational stakeholders
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?
- Does your organization integrate cybersecurity risk management into its enterprise risk management framework?

