Skip to main content

GOV-01.1: Steering Committee & Program Oversight

GOV 7 — High Govern

Mechanisms exist to coordinate cybersecurity, data protection and business alignment through a steering committee or advisory board, comprised of key cybersecurity, data protection and business executives, which meets formally and on a regular basis.

Control Question: Does the organization coordinate cybersecurity, data protection and business alignment through a steering committee or advisory board, comprised of key cybersecurity, data protection and business executives, which meets formally and on a regular basis?

General (18)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC1.2 CC1.2-POF1 CC1.2-POF2 CC1.2-POF3 CC1.2-POF4 CC1.3-POF1 CC1.3-POF3 CC1.5-POF3 CC1.5-POF4 CC1.5-POF5 CC2.2-POF12 CC2.2-POF4 CC2.3-POF3 CC3.1-POF11 CC3.4-POF3 CC4.2 CC4.2-POF1 CC4.2-POF2
BSI Standard 200-1 4.1 4.1.1 4.1.2 4.1.3 4.1.4 4.1.5 4.1.6 4.2 4.4 7.5 8.3 8.4
IMO Maritime Cyber Risk Management 3.3
ISO/SAE 21434 2021 RQ-05-08
ISO 27001 2022 (source) 4.4 5.3 5.3(a) 5.3(b) 9.3 9.3.1 9.3.2(a) 9.3.2(b) 9.3.2(c) 9.3.2(d) 9.3.2(d)(1) 9.3.2(d)(2) 9.3.2(d)(3) 9.3.2(d)(4) 9.3.2(e) 9.3.2(f) 9.3.2(g) 9.3.3 10.1
ISO 27017 2015 5.1
ISO 27701 2025 5.1 9.3.1 9.3.2 9.3.2(a) 9.3.2(b) 9.3.2(c) 9.3.2(d) 9.3.2(e) 9.3.3
ISO 42001 2023 9.2.2(c) 9.3.1 9.3.2 9.3.2(a) 9.3.2(b) 9.3.2(c) 9.3.2(d) 9.3.2(d)(1) 9.3.2(d)(2) 9.3.2(d)(3) 9.3.2(e)
NAIC Insurance Data Security Model Law (MDL-668) 4.E(1) 4.E(2) 4.E(2)(a) 4.E(2)(b) 4.E(3)
NIST AI 100-1 (AI RMF) 1.0 GOVERN 2.3 MAP 3.5 MAP 5.2
NIST AI 600-1 GV-1.3-004
NIST 800-171 R3 (source) 03.12.03
NIST CSF 2.0 (source) GV.OV GV.OV-01 GV.OV-02 GV.OV-03 GV.RM-01 GV.RM-03 GV.RR-01 GV.SC GV.SC-01 GV.SC-03 GV.SC-09 ID ID.RA PR PR.IR
TISAX ISA 6 1.2.1
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) GOV-01.1
SCF CORE ESP Level 1 Foundational GOV-01.1
SCF CORE ESP Level 2 Critical Infrastructure GOV-01.1
SCF CORE ESP Level 3 Advanced Threats GOV-01.1
US (6)
Framework Mapping Values
US C2M2 2.1 ASSET-5.E.MIL3 ASSET-5.F.MIL3 THREAT-3.F.MIL3 RISK-1.E.MIL2 RISK-1.F.MIL2 RISK-1.H.MIL3 RISK-5.F.MIL3 ACCESS-4.D.MIL3 ACCESS-4.F.MIL3 SITUATION-4.D.MIL3 RESPONSE-5.D.MIL3 THIRD-PARTIES-3.D.MIL3 WORKFORCE-4.D.MIL3 ARCHITECTURE-5.D.MIL3 PROGRAM-2.C.MIL2 PROGRAM-2.D.MIL2 PROGRAM-2.E.MIL2 PROGRAM-2.F.MIL2 PROGRAM-2.G.MIL3 PROGRAM-2.H.MIL3 PROGRAM-2.I.MIL3 PROGRAM-2.J.MIL3 PROGRAM-3.D.MIL3
US DHS CISA TIC 3.0 3.UNI.PEPAR
US FCA CRM 609.930(b)(1) 609.930(b)(2)
US GLBA CFR 314 2023 (source) 314.4(a)(2)
US SEC Cybersecurity Rule 17 CFR 229.106(b)(1)(iii) 17 CFR 229.106(c)(1) 17 CFR 229.106(c)(2) 17 CFR 229.106(c)(2)(i) 17 CFR 229.106(c)(2)(iii) Form 8-K Item 1.05(a)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.4(b) 500.4(b)(1) 500.4(b)(2) 500.4(b)(3) 500.4(b)(4) 500.4(b)(5) 500.4(b)(6) 500.4(d) 500.4(d)(1) 500.4(d)(2) 500.4(d)(3) 500.4(d)(4)
EMEA (11)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.2.1(2) 3.2.1(3) 3.2.1(4)
EMEA EU DORA 5.2 5.2(a) 5.2(b) 5.2(c) 5.2(d) 5.2(e) 5.2(f) 5.2(g) 5.2(h) 5.2(i)(i) 5.2(i)(ii) 5.2(i)(iii)
EMEA EU NIS2 21.2(f)
EMEA EU NIS2 Annex 1.1.1(k)
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 1.1 1.2 1.2(a) 1.2(b) 1.2(c) 1.2(d) 1.2(e) 1.2(f) 2.1 2.2 2.3 2.4 2.5
EMEA Saudi Arabia IoT CGIoT-1 2024 1-1-4
EMEA Saudi Arabia SAMA CSF 1.0 3.1.1
EMEA Spain BOE-A-2022-7191 5 27
EMEA Spain 311/2022 27 5
EMEA UK CAF 4.0 A1.a A1.c
EMEA UK DEFSTAN 05-138 1101 1103 1202
APAC (10)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0725
APAC Australia Prudential Standard CPS230 20 21 22(a) 20 21 22(a) 22(b) 22(c) 23 24 25
APAC Australia Prudential Standard CPS234 13 19
APAC India DPDPA 2023 18(2) 23(1) 26(a) 26(b) 26(c) 27(1)(a) 27(1)(b) 27(1)(c) 27(1)(d) 27(1)(e) 27(2) 27(3) 28(1) 28(2) 28(3) 28(4) 28(5) 28(6) 8(6)
APAC India SEBI CSCRF GV.OV.S2 GV.RR.S1 GV.RR.S3 GV.RR.S4
APAC Japan ISMAP 4.1 4.4.1.2 4.4.1.3 4.4.2 4.4.2.1 4.4.4 4.4.5 4.5.3 4.6 4.6 4.6.1.1 4.6.1.2 4.6.2 4.6.3 4.6.3.1 4.6.3.2 4.6.2.3 4.6.2.4 4.9 4.9.1 4.9.1.1 4.9.2 4.9.2.1 4.9.2.2
APAC New Zealand HISF 2022 HHSP12 HML12 HML21 HSUP10 HSUP19
APAC New Zealand HISF Suppliers 2023 HSUP10 HSUP19
APAC New Zealand NZISM 3.6 3.2.9.C.01
APAC Singapore MAS TRM 2021 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7(a) 3.1.7(b) 3.1.7(c) 3.1.7(d) 3.1.7(e) 3.1.7(f) 3.1.7(g) 3.1.8(a) 3.1.8(b) 3.1.8(c) 3.1.8(d) 3.1.8(e)
Americas (4)
Framework Mapping Values
Americas Bermuda BMACCC 5.1 5.6
Americas Canada CSAG 6.5 6.6 6.7 6.21 6.22 6.23 6.24
Americas Canada OSFI B-13 1 1.1.2 1.3.1
Americas Canada ITSP-10-171 03.12.03

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to coordinate cybersecurity, data protection and business alignment through a steering committee or advisory board, comprised of key cybersecurity, data protection and business executives, which meets formally and on a regular basis.

Level 1 — Performed Informally

Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • No formal cybersecurity and/ or data protection principles are identified for the organization.
  • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.
  • Governance efforts are narrowly-limited to certain compliance requirements.
  • Formal roles and responsibilities for cybersecurity and/ or data protection may exist.
  • Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.
  • Basic cybersecurity policies and standards are documented [not based on any industry framework]
  • Basic procedures are established for important tasks, but are ad hoc and not formally documented.
  • Documentation is made available to internal personnel.
  • Organizational leadership maintains an informal process to review and respond to observed trends.
Level 2 — Planned & Tracked

Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Cybersecurity and data protection governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity and data protection governance activities.
  • The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives of the security function, based on business requirements.
  • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data protection program (e.g., cybersecurity director or Chief Information Security Officer (CISO)).
  • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel.
  • Compliance requirements for cybersecurity and data protection are identified and documented.
  • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework).
  • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements.
  • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization.
  • Documentation is made available to internal personnel.
  • Quarterly Business Review (QBR), or similar status reporting, exists to provide recurring reports on the state of the cybersecurity and data protection program.
  • Organizational leadership maintains an informal process to review and respond to trends.
  • Procedures for important tasks are documented and assigned to individuals or teams.
Level 3 — Well Defined

Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Statutory, regulatory and contractual compliance requirements for cybersecurity and data protection are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
  • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data protection.
  • Controls are standardized across the organization to ensure uniformity and consistent execution.
  • Corporate governance (executive oversight) exists for the cybersecurity and data protection, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
  • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
  • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
  • The organization designates one or more qualified individuals to govern the cybersecurity and data protection programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
  • Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled

Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement.
  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to coordinate cybersecurity, data protection and business alignment through a steering committee or advisory board, comprised of key cybersecurity, data protection and business executives, which meets formally and on a regular basis.

Assessment Objectives

  1. GOV-01.1_A01 an executive steering committee, or advisory board, is formed and is comprised of key cybersecurity, technology, risk, privacy and business executives.
  2. GOV-01.1_A02 the executive steering committee, or advisory board, coordinates cybersecurity, technology, risk, privacy and business alignment through recurring, formal meetings.

Evidence Requirements

E-GOV-03 Charter - Cybersecurity Steering Committee

Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of cybersecurity management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.

Cybersecurity & Data Protection Management

Technology Recommendations

Micro/Small

  • Third-party advisors (subject matter experts)

Small

  • Third-party advisors (subject matter experts)

Medium

  • Steering committee / advisory board

Large

  • Steering committee / advisory board

Enterprise

  • Steering committee / advisory board

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free