Has your organization established a formal process for reporting cybersecurity posture metrics to senior executives, directors, and management at defined intervals?
Explanation
Regular reporting of cybersecurity metrics to leadership ensures strategic alignment, informed decision-making, and appropriate resource allocation for security initiatives. This process should include defined reporting intervals (e.g., quarterly), specific metrics that matter to leadership, and a consistent format that highlights both current status and emerging trends.
Evidence could include a documented reporting schedule, sample executive dashboards, meeting minutes where cybersecurity updates were presented, or templates used for cybersecurity briefings to leadership that show regular cadence of communication.
Implementation Example
Determine how to update senior executives, directors, and management on the organization's cybersecurity posture at agreed-upon intervals
ID: GV.RM-05.024
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?

