Has your organization established a formal cross-departmental communication framework for cybersecurity risks?
Explanation
Cross-departmental communication is the concern: whether management, IT, legal, HR, and operations have defined channels for sharing cybersecurity threats, vulnerabilities, and incidents. Effective cross-departmental communication ensures that security risks are properly escalated, addressed holistically, and that response efforts are coordinated across the organization.
Evidence could include a documented communication plan or matrix that outlines roles, responsibilities, escalation paths, and communication channels for cybersecurity risks. This might take the form of a formal policy document, communication flowchart, RACI matrix specific to security incidents, or meeting cadence documentation showing regular cross-functional security discussions.
Implementation Example
Identify how all departments across the organization - such as management, operations, internal auditors, legal, acquisition, physical security, and HR - will communicate with each other about cybersecurity risks
ID: GV.RM-05.025
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?

