Have you established documented performance goals for personnel with cybersecurity risk management responsibilities and implemented a process to measure their performance against these goals?
Explanation
Accountability for cybersecurity risk managers is the focus here, covering whether you set documented performance goals and measure staff against them. Establishing measurable goals creates accountability and helps identify skill gaps or areas where additional training or resources may be needed.
Regular performance measurement enables continuous improvement in your security posture by ensuring cybersecurity staff are effectively executing their responsibilities.
Evidence could include: documented job descriptions with cybersecurity performance metrics, performance review templates specific to security roles, reports showing periodic performance evaluations of security personnel, or improvement plans developed based on performance measurements.
Implementation Example
Document performance goals for personnel with cybersecurity risk management responsibilities, and periodically measure performance to identify areas for improvement
ID: GV.RR-02.040
Context
- Function
- GV: GOVERN
- Category
- GV.RR: Roles, Responsibilities, and Authorities
- Sub-Category
- Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
Related questions
- Have organizational leaders formally documented and agreed upon their specific roles and responsibilities for cybersecurity strategy development, implementation, and assessment?
- Does leadership actively communicate expectations for a secure and ethical culture, particularly leveraging current events as teaching opportunities?
- Does your organization have a comprehensive cybersecurity risk strategy that is reviewed and updated at least annually and after significant security events?
- Does your organization conduct regular reviews to verify that individuals responsible for managing cybersecurity risk have appropriate authority and coordination mechanisms?
- Has your organization documented risk management roles and responsibilities in a formal policy?
- Has your organization formally documented the roles and responsibilities for cybersecurity risk management, including RACI (Responsible, Accountable, Consulted, Informed) designations?

