GV — Govern
31 outcomes in the Govern function
GV.OC-01The organizational mission is understood and informs cybersecurity risk management
GV.OC-02Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
GV.OC-03Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
GV.OC-04Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated
GV.OC-05Outcomes, capabilities, and services that the organization depends on are understood and communicated
GV.RM-01Risk management objectives are established and agreed to by organizational stakeholders
GV.RM-02Risk appetite and risk tolerance statements are established, communicated, and maintained
GV.RM-03Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
GV.RM-04Strategic direction that describes appropriate risk response options is established and communicated
GV.RM-05Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
GV.RM-06A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
GV.RM-07Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
GV.RR-01Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
GV.RR-02Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
GV.RR-03Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies
GV.RR-04Cybersecurity is included in human resources practices
GV.PO-01Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
GV.PO-02Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission
GV.OV-01Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
GV.OV-02The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
GV.OV-03Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed
GV.SC-01A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
GV.SC-02Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
GV.SC-03Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
GV.SC-04Suppliers are known and prioritized by criticality
GV.SC-05Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
GV.SC-06Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
GV.SC-07The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
GV.SC-08Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
GV.SC-09Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
GV.SC-10Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement