- ID:
This column contains the ID of the category being described and its connection with that particular function. e.g. Function: 'GV' points to the category "OV (Oversight)", leading to the ID of that category being "GV.OV".
- CATEGORY:
This column describes the key focus of the organization in that particular category. e.g. For the category 'GV.OC', the "Organizational Context" is the key area of focus.
- METHODOLOGY:
Describes the methods and considerations the organization should carry out its risk assessment pertinet to the category being considered. e.g G.OV describes the importance of understanding the organizations mission.
- SUB CATEGORY ID:
List the various sub-categories related to that specific category. e.g GV.OV (category) --> GV.OC-1, GV.OC-2, GV.OC-3, GV.OC-4, GV.OC-5 (Sub-Category).
- SUB CATEGORY DESCRIPTION:
This column describes each sub-category 'ID' e.g. GV.OC-1 has its own description, which is different from GV.OC-2.
- SUB CATEGORY MODIFICATIONS:
This column, contains the sub-category that "WITHDRAWN", The sub category, that was "NEWLY ADDED OR INTRODUCED" and where the withdrawn category was "MOVED TO".
GOVERN focuses on the organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
Below is listed the various Sub-categories of the "Govern Function" in planning your organization's risk assessment for its critical infrastructures.
| ID | CATEGORY | METHODOLOGY | SUB CATEGORY ID | SUB CATEGORY DESCRIPTION | SUB CATEGORY MODIFICATIONS |
| GV.OC | Organizational Context | The Organization's Mission Should Be Understood:
The circumstances (mission, expectations from stakeholders, dependencies, legal, regulatory, and contractual requirements), surrounding the organization's decision, regarding its cybersecurity risk management, must be understood. |
GV.OC-1, GV.OC-2, GV.OC-3, GV.OC-4, GV.OC-5 |
GV.OC-1: The organizations mission, should be understood and shared through vision, and mission statements, and indicate the organization's cybersecurity risk management. GV.OC-2: The organizations internal and external stakeholders are understood regarding their needs and expectations of its cybersecurity risk management. These expectations includes(performance and risk expectations of officers,directors, business expectations of patnerships, compliance expectations of regulators, ethics expectations of society etc.) GV.OC-3: The organizations legal, and contractual requirements regarding its cybersecurity are understood-including its privacy and civil liberties obligations. GV.OC-4: The critical objectives, capabilities, and services which the internal and external stakeholders depend on, and their expectations from the organization, are properly understood and communicated. GV.OC-5: The outcomes, capabilities, and services which the organization depends on, are properly understood, and communicated. |
WITHDRAWN (N/A) NEWLY ADDED (N/A) MOVED TO (N/A) |
| GV.RM | Risk Management Strategy | Establishing The Organizations Priorities:
Ensuring that the organization's priorities, constraints, risk tolerance, and appetite statements, and assumptions are established,communicated, and used to support operational risk decisions. |
GV.RM-1, GV.RM-2, GV.RM-3, GV.RM-4, GV.RM-5, GV.RM-6, GV.RM-7 |
GV.RM-1: The organizations risk management objectives, are established and agreed upon by stakeholders of the organization. GV.RM-2: Risk appetite and risk tolerance are to be established, appropriately communicated, and maintained. GV.RM-3: The cybersecurity risk management activities and the outcomes are to be included in the enterprise risk management processes. GV.RM-4: The strategic direction which describes appropriate risk response options is established and communicated. GV.RM-5: The lines of communications across the organization regarding cybersecurity risk, risk from suppliers, and third party risks, are established. GV.RM-6: Standardized method (Benchmark) for calculating, documenting, categorizing, and prioritizing risk are established and communicated. GV.RM-7: Strategic opportunities (i.e, positive risks), are characterized and included in the organizations cybersecurity risk discussions. |
WITHDRAWN (N/A) NEWLY ADDED (N/A) MOVED TO (N/A) |
| GV.RR | Roles, Responsibilities, and Authorities | Establishing The Organizations Cybersecurity Roles and Responsibilities:
The organizations cybersecurity roles, responsbilities, and accountability to promote accountability, performance assessment, and continuous improvement are established and communicated. |
GV.RR-1, GV.RR-2, GV.RR-3, GV.RR-4 |
GV.RR-1: The organization leadership, is responsible and accountable for its cybersecurity risk, and promotes a culture, that is risk aware, ethical, and continuously improving. GV.RR-2: The Roles, Responsibilities, and Authorities related to the organizations cybersecurity risk management are established, communicated, understood, and enforced. GV.RR-3: Adequate resources, are allocated in proportion with the organizations cybersecurity risk strategy, roles, responsibilities, and policies. GV.RR-4: The human resources practises, should also include cybersecurity. | WITHDRAWN (N/A) NEWLY ADDED (N/A) MOVED TO (N/A) |
| GV.PO | Policy | Establishing The Organizations Cybersecurity Policies:
The organizations cybersecurity policies is established, communicated, and enforced. |
GV.PO-1, GV.PO-2 |
GV.PO-1: Establishing, communicating, and enforcing the policy for managing the organizations cybersecurity risk based on the organizational context, cybersecurity strategy, and priorities. GV.PO-2: The organization's policy for managing its cybersecurity risk is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission. | WITHDRAWN (N/A) NEWLY ADDED (N/A) MOVED TO (N/A) |
| GV.OV | Oversight | Adjusting Risk Management Strategies Using Results:
The results from the organization wide cybersecurity risk managements events and performance are utilized to inform, improve, and adjust the risk management strategy. |
GV.OV-1, GV.OV-2, GV.OV-3 |
GV.OV-1: The organizations cybersecurity risk management strategy outcomes are reviewed to inform, and adjust the strategy and direction. GV.OV-2: The organization's cybersecurity risk management strategy is reviewed and adjusted to ensure the coverage of the organizational requirements and risks. GV.OV-3: The organization's cybersecurity risk management performance is evaluated and reviewed for the necessary adjustments. | WITHDRAWN (N/A) NEWLY ADDED (N/A) MOVED TO (N/A) |
| GV.SC | Cybersecurity Supply Chain Risk Management | Identifying,Establishing, Managing and Monitoring:
The organization's cyber supply chain risk management processes are identified, established, managed, monitored, and improved by the stakeholders of the organization. |
GV.SC-1, GV.SC-2, GV.SC-3,GV.SC-4, GV.SC-5, GV.SC-6, GV.SC-7, GV.SC-8, GV.SC-9, GV.SC-10 |
GV.SC-1: The organizations stakeholders are to agree, on the established cybersecurity supply chain risk management program, strategy, objectives,policies, and processes. GV.SC-2: The organization's are to establish, communicate, and coordinate internally and externally its cybersecurity roles and responsibilities for suppliers, customers, and partners. GV.SC-3: The organization's cybersecurity supply chain risk management is integrated into the cybersecurity and enterprise risk management, risk assessment, and improvement processes. GV.SC-4: The organizations suppliers are known(identified), and prioritized by criticality. GV.SC-5: The organization's requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other forms of agreements with both suppliers, and other relevant third parties. GV.SC-6: The organization should conduct proper planning and due diligence to reduce risks before entering into a formal relationship with supplier or other third-party. GV.SC-7: The risk posed by the supplier, their products,services, and risk arising from other third parties, are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship with the organization. GV.SC-8: The organization must include relevant suppliers, and other third parties in its incident planning, response, and recovery activities. GV.SC-9: The organization's supply chain security practises are integrated into cybersecurity and enterprise risk management programs, and their performance are to be monitored throughout the technology product and service life cycle. GV.SC-10: The organization's cybersecurity supply chain risk management plans, should include provisions for activities that occur after the conclusion of a partnership or service agreement. | WITHDRAWN (N/A) NEWLY ADDED (N/A) MOVED TO (N/A) |