Skip to main content

GOV-01: Cybersecurity & Data Protection Governance Program

GOV 10 — Critical Govern

Mechanisms exist to facilitate the implementation of cybersecurity and data protection governance controls.

Control Question: Does the organization facilitate the implementation of cybersecurity and data protection governance controls?

General (34)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC1.1 CC1.1-POF1 CC1.2 CC2.3-POF5
BSI Standard 200-1 4 4.1 4.2 4.3 4.4 5 7 7.1 7.2 7.4 7.5 8 8.1 8.2 8.4 10 10.1 10.2 10.2.1 10.2.2
COBIT 2019 EDM01.02 APO01.09 APO04.01 APO13.01 APO13.02
COSO 2017 Principle 2
CSA CCM 4 GRC-05 GRC-07
CSA IoT SCF 2 GVN-01 GVN-02
Generally Accepted Privacy Principles (GAPP) 8.2.1
IMO Maritime Cyber Risk Management 3.5 3.5.3
ISO/SAE 21434 2021 RQ-05-02.a RQ-05-02.b
ISO 22301 2019 5.2 5.2.1 5.2.2
ISO 27001 2022 (source) 4.4 5.1 5.1(a) 5.1(b) 5.1(c) 5.1(d) 5.1(e) 5.1(f) 5.1(g) 5.1(h) 6.1.1 6.1.1(a) 6.1.1(b) 6.1.1(c) 6.1.1(d) 6.1.1(e)(1) 6.1.1(e)(2) 8.1 10.1
ISO 27002 2022 5.1 5.4 5.37
ISO 27017 2015 5.1 5.1.1
ISO 27701 2025 5.1 6.1.3(c) 7.5.1
ISO 42001 2023 7.5.1 7.5.1(a) 7.5.1(b) 7.5.2 7.5.3 7.5.3(a) 7.5.3(b)
MPA Content Security Program 5.1 OR-1.0
NAIC Insurance Data Security Model Law (MDL-668) 4.A 4.B 4.B(1) 4.B(2) 4.B(3) 4.B(4) 4.D(1)
NIST AI 600-1 GOVERN 1.1 GOVERN 1.2 GOVERN 4.1 GV-1.2-002 GV-1.4-001 GV-1.4-002
NIST Privacy Framework 1.0 GV.PO-P1 GV.PO-P6
NIST 800-53 R4 PM-1
NIST 800-53 R5 (source) PM-1
NIST 800-53 R5 (NOC) (source) PM-1
NIST 800-171 R3 (source) 03.15.01.a
NIST CSF 2.0 (source) GV GV.RM-01 GV.RM-03 GV.RR-01 GV.SC GV.SC-01 GV.SC-03 GV.SC-09 ID.RA PR PR.IR
PCI DSS 4.0.1 (source) 12.4 A3.1.2
SPARTA CM0005
TISAX ISA 6 1.2.1
UN R155 7.1.2
UN ECE WP.29 7.1.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) GOV-01
SCF CORE ESP Level 1 Foundational GOV-01
SCF CORE ESP Level 2 Critical Infrastructure GOV-01
SCF CORE ESP Level 3 Advanced Threats GOV-01
SCF CORE AI Model Deployment GOV-01
US (32)
Framework Mapping Values
US C2M2 2.1 PROGRAM-2.A.MIL1 PROGRAM-2.B.MIL2 PROGRAM-2.C.MIL2 PROGRAM-2.D.MIL2 PROGRAM-2.E.MIL2 PROGRAM-2.F.MIL2 PROGRAM-2.G.MIL3 PROGRAM-2.H.MIL3 PROGRAM-2.I.MIL3 PROGRAM-2.J.MIL3
US CERT RMM 1.2 EF:SG2.SP1 EF:SG2.SP2 OPF:SG1.SP1
US CJIS Security Policy 5.9.3 (source) 5.1 5.1.1 5.1.1.1 5.1.1.2
US CMS MARS-E 2.0 PM-1
US DFARS Cybersecurity 252.204-70xx 252.204-7008 252.204-7012
US DHS CISA SSDAF 1.f
US DHS CISA TIC 3.0 3.UNI.PEPAR
US EO 14028 4e(i)(F)
US FCA CRM 609.930(a) 609.930(d)
US FERPA (source) 1232h
US FINRA S-P (17 CFR §248.30)
US GLBA CFR 314 2023 (source) 314.3(a) 314.3(b)(1) 314.3(b)(2) 314.3(b)(3) 314.4(a) 314.4(b) 314.4(c)
US HHS 45 CFR 155.260 155.260(a)(3)
US HIPAA Administrative Simplification 2013 (source) 164.306(a)(1) 164.306(a)(2) 164.306(a)(3) 164.316(a) 164.530(c)(1)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.306(a)(1) 164.306(a)(2) 164.306(a)(3) 164.316(a)
US HIPAA HICP Small Practice 10.S.A
US HIPAA HICP Medium Practice 8.M.A
US HIPAA HICP Large Practice 8.M.A 10.M.A
US IRS 1075 PM-1
US NERC CIP 2024 (source) CIP-003-8 1.1.4
US NISPOM 2020 8-100
US SSA EIESR 8.0 5.1
US - AK PIPA 45.48.530
US - CA CCPA 2025 7123(b)(1)
US - MA 201 CMR 17.00 17.03(1) 17.04 17.03(2)(b)(2)
US - NV NOGE Reg 5 5.260.1
US - NY DFS 23 NYCRR500 2023 Amd 2 500.2(a) 500.2(b) 500.2(b)(1) 500.2(b)(2) 500.2(b)(3) 500.2(b)(4) 500.2(b)(5) 500.2(b)(6) 500.2(d) 500.2(e) 500.3(a)
US - NY SHIELD Act S5575B 4(2)(a) 4(2)(b)(ii) 4(2)(b)(ii)(A) 4(2)(b)(ii)(A)(1) 4(2)(b)(ii)(A)(2) 4(2)(b)(ii)(A)(3) 4(2)(b)(ii)(A)(4) 4(2)(b)(ii)(A)(5) 4(2)(b)(ii)(A)(6) 4(2)(b)(ii)(B)(1) 4(2)(b)(ii)(B)(2) 4(2)(b)(ii)(B)(3) 4(2)(b)(ii)(B)(4) 4(2)(b)(ii)(C)(1) 4(2)(b)(ii)(C)(2) 4(2)(b)(ii)(C)(3) 4(2)(b)(ii)(C)(4)
US - TX BC521 521.052
US - TX DIR Control Standards 2.0 PM-1
US - TX SB 2610 542.004(a)(1)
US - VT Act 171 of 2018 2447(a) 2447(a)(1) 2447(a)(1)(A) 2447(a)(1)(B) 2447(a)(1)(C) 2447(a)(1)(D) 2447(a)(2) 2447(b) 2447(c) 2447(c)(1) 2447(c)(1)(A) 2447(c)(1)(A)(i) 2447(c)(1)(A)(ii) 2447(c)(1)(A)(iii) 2447(c)(1)(A)(iv) 2447(c)(1)(A)(v)
EMEA (33)
Framework Mapping Values
EMEA EU AI Act 17.2
EMEA EU DORA 16.1(a) 16.1(b) 16.1(c) 16.1(d) 16.1(e) 16.1(f) 16.1(g) 16.1(h) 16.2 5.1 9.4
EMEA EU NIS2 21.1 21.2 21.2(a) 21.2(b) 21.2(c) 21.2(d) 21.2(e) 21.2(f) 21.2(g) 21.2(h) 21.2(i) 21.2(j)
EMEA EU NIS2 Annex 1.1.1(a) 1.1.1(b) 6.7.1
EMEA EU PSD2 3
EMEA Austria Sec 14 Sec 15
EMEA Belgium 16
EMEA Germany Sec 9 Sec 9a Annex
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 4.1
EMEA Germany C5 2020 OIS-01
EMEA Greece 10
EMEA Hungary 7
EMEA Ireland 2
EMEA Israel CDMO 1.0 3.2 4.25
EMEA Israel 16 17
EMEA Italy 31 33 34 35
EMEA Netherlands 12 13 14
EMEA Norway 13 14
EMEA Poland 1 36
EMEA Russia 7 19
EMEA Saudi Arabia IoT CGIoT-1 2024 1-1-2
EMEA Saudi Arabia ECC-1 2018 1-2-1 1-3-2
EMEA Saudi Arabia OTCC-1 2022 1-1
EMEA Saudi Arabia SACS-002 TPC-25
EMEA Saudi Arabia SAMA CSF 1.0 3.1.1
EMEA South Africa 19 21
EMEA Spain BOE-A-2022-7191 5 6.1 6.2 13.1 35.1
EMEA Spain 311/2022 13.1 35.1 5 6.1 6.2
EMEA Spain CCN-STIC 825 6.1 [ORG.1]
EMEA Sweden 31
EMEA Switzerland 7
EMEA Turkey 12
EMEA UK CAP 1850 A1
APAC (16)
Framework Mapping Values
APAC Australia Privacy Act APP Part 1 APP Part 11
APAC Australia ISM June 2024 ISM-0888
APAC Australia Prudential Standard CPS234 13 18 19
APAC China DNSIP 4
APAC China Privacy Law 58 58(1) 58(2) 58(3) 58(4)
APAC Hong Kong Principle 4
APAC India ITR 8
APAC India SEBI CSCRF GV.OC.S1 GV.OC.S2 PR.IP.S17
APAC Japan APPI 20
APAC Japan ISMAP 4.1 4.2 4.3 4.4 4.4.1 4.4.2 4.4.2.1 4.4.4 4.4.5 4.4.5.3 4.5 4.5.1 4.5.1.1 4.5.1.2 4.5.2 4.6 4.6.1 4.9.1 4.9.1.1 4.9.2 4.9.2.1 4.9.2.2 5.1 5.1.1 5.1.2
APAC Malaysia 9
APAC New Zealand NZISM 3.6 5.1.14.C.01
APAC Philippines 25 27 28
APAC Singapore 12 24
APAC South Korea 3 29 30
APAC Taiwan 27
Americas (12)
Framework Mapping Values
Americas Argentina PPL 9 30
Americas Bahamas 6
Americas Bermuda BMACCC 4 5.4
Americas Canada CSAG 6.5 6.6 6.7 6.23
Americas Canada OSFI B-13 1 1.1.2 1.3.1 2.1.1 3
Americas Canada ITSP-10-171 03.15.01.A
Americas Canada PIPEDA Principle 7
Americas Chile 7
Americas Colombia 4
Americas Costa Rica 10
Americas Mexico 19
Americas Peru 9 16 17

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to facilitate the implementation of cybersecurity and data privacy governance controls.

Level 1 — Performed Informally

Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • No formal cybersecurity and/ or data privacy principles are identified for the organization.
  • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.
  • Governance efforts are narrowly-limited to certain compliance requirements.
  • Formal roles and responsibilities for cybersecurity and/ or data privacy may exist.
  • Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.
  • Basic cybersecurity policies and standards are documented [not based on any industry framework]
  • Basic procedures are established for important tasks, but are ad hoc and not formally documented.
  • Documentation is made available to internal personnel.
  • Organizational leadership maintains an informal process to review and respond to observed trends.
  • Compliance efforts are not tied into an enterprise-wide cybersecurity and/ or data privacy program.
Level 2 — Planned & Tracked

Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity and data privacy governance activities.
  • The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives of the security function, based on business requirements.
  • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)).
  • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel.
  • Compliance requirements for cybersecurity and data privacy are identified and documented.
  • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework).
  • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements.
  • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization.
  • Documentation is made available to internal personnel.
Level 3 — Well Defined

Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
  • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
  • Controls are standardized across the organization to ensure uniformity and consistent execution.
  • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
  • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
  • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
  • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
  • Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled

Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement.
  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the implementation of cybersecurity and data privacy governance controls.

Assessment Objectives

  1. GOV-01_A01 an organization-wide cybersecurity / data privacy governance program is developed.
  2. GOV-01_A02 the cybersecurity / data privacy governance program addresses management commitment.
  3. GOV-01_A03 the cybersecurity / data privacy governance program addresses statutory, regulatory and/or contractual compliance obligations.
  4. GOV-01_A04 the cybersecurity / data privacy governance program is protected from unauthorized disclosure.
  5. GOV-01_A05 the cybersecurity / data privacy governance program is protected from unauthorized modification.
  6. GOV-01_A06 the cybersecurity / data privacy governance program is disseminated.
  7. GOV-01_A07 the cybersecurity / data privacy governance program provides an overview of the requirements for the security program.
  8. GOV-01_A08 the cybersecurity / data privacy governance program provides a description of the security program management controls in place or planned for meeting those requirements.
  9. GOV-01_A09 the cybersecurity / data privacy governance program provides a description of the common controls in place or planned for meeting those requirements.
  10. GOV-01_A10 the cybersecurity / data privacy governance program includes the identification and assignment of roles.
  11. GOV-01_A11 the cybersecurity / data privacy governance program includes the identification and assignment of responsibilities.
  12. GOV-01_A12 the cybersecurity / data privacy governance program addresses coordination among organizational entities.
  13. GOV-01_A13 the cybersecurity / data privacy governance program reflects the coordination among the organizational entities responsible for cybersecurity / data privacy.
  14. GOV-01_A14 the cybersecurity / data privacy governance program is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations.
  15. GOV-01_A15 the frequency at which to review / update the organization-wide cybersecurity / data privacy governance program is defined.
  16. GOV-01_A16 events that trigger the review / update of the organization-wide cybersecurity / data privacy governance program are defined.
  17. GOV-01_A17 the cybersecurity / data privacy governance program is reviewed / updated frequently.
  18. GOV-01_A18 the cybersecurity / data privacy governance program is reviewed / updated following events.
  19. GOV-01_A19 cybersecurity & data protection governance operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
  20. GOV-01_A20 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support cybersecurity & data protection governance operations.
  21. GOV-01_A21 responsibility and authority for the performance of cybersecurity & data protection governance-related activities are assigned to designated personnel.
  22. GOV-01_A22 personnel performing cybersecurity & data protection governance-related activities have the skills and knowledge needed to perform their assigned duties.

Evidence Requirements

E-GOV-01 Charter - Cybersecurity Program

Documented evidence of a charter to establish and resource the organization's cybersecurity program.

Cybersecurity & Data Protection Management
E-GOV-02 Charter - Data Privacy Program

Documented evidence of a charter to establish and resource the organization's data privacy program.

Cybersecurity & Data Protection Management

Technology Recommendations

Micro/Small

  • ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)

Small

  • ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)

Medium

  • Steering committee
  • ComplianceForge - Digital Security Program (DSP) (https://complianceforge.com)
  • ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)

Large

  • Steering committee
  • ComplianceForge - Digital Security Program (DSP) (https://complianceforge.com)
  • ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)

Enterprise

  • Steering committee
  • ComplianceForge - Digital Security Program (DSP) (https://complianceforge.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free