GOV-01.2: Status Reporting To Governing Body

GOV 5 — Medium Govern

Mechanisms exist to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization's cybersecurity and data protection program.

Control Question: Does the organization provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to its cybersecurity and data protection program?

General (13)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	CC2.2-POF2 CC2.3-POF3 CC2.3-POF5 CC3.1-POF10 CC3.1-POF11 CC4.2 CC4.2-POF1 CC4.2-POF2
BSI Standard 200-1	4.2 4.3 4.4 8.3 8.4
IMO Maritime Cyber Risk Management	3.3
ISO 27001 2022 (source)	7.4 7.4(a) 7.4(b) 7.4(c) 7.4(d) 9.1 9.1(a) 9.1(b) 9.1(c) 9.1(d) 9.1(e) 9.1(f) 9.3 9.3.1 9.3.2(a) 9.3.2(b) 9.3.2(c) 9.3.2(d) 9.3.2(d)(1) 9.3.2(d)(2) 9.3.2(d)(3) 9.3.2(d)(4) 9.3.2(e) 9.3.2(f) 9.3.2(g) 9.3.3
ISO 27701 2025	5.1 5.3(b) 9.3.1
ISO 42001 2023	5.1 9.3.3
NIST AI 100-1 (AI RMF) 1.0	GOVERN 2.3 MAP 3.5
NIST 800-171 R3 (source)	03.12.03
NIST CSF 2.0 (source)	GV.OV GV.OV-01 GV.OV-03 GV.SC GV.SC-09 ID
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	GOV-01.2
SCF CORE ESP Level 1 Foundational	GOV-01.2
SCF CORE ESP Level 2 Critical Infrastructure	GOV-01.2
SCF CORE ESP Level 3 Advanced Threats	GOV-01.2

US (6)

Framework	Mapping Values
US C2M2 2.1	ASSET-5.E.MIL3 ASSET-5.F.MIL3 THREAT-3.F.MIL3 RISK-1.E.MIL2 RISK-1.F.MIL2 RISK-5.F.MIL3 ACCESS-4.F.MIL3 SITUATION-4.F.MIL3 RESPONSE-5.F.MIL3 THIRD-PARTIES-3.F.MIL3 WORKFORCE-4.F.MIL3 ARCHITECTURE-5.F.MIL3 PROGRAM-3.F.MIL3
US FCA CRM	609.930(e)
US GLBA CFR 314 2023 (source)	314.4(i) 314.4(i)(1) 314.4(i)(2)
US SEC Cybersecurity Rule	17 CFR 229.106(b)(1)(iii) 17 CFR 229.106(c)(1) 17 CFR 229.106(c)(2)(ii) 17 CFR 229.106(c)(2)(iii)
US - NV NOGE Reg 5	5.260.4(b) 5.260.4(c)
US - NY DFS 23 NYCRR500 2023 Amd 2	500.4(b) 500.4(c)

EMEA (4)

Framework	Mapping Values
EMEA EU EBA GL/2019/04	3.3.1(13)(e) 3.3.5(24)
EMEA EU DORA	13.5 5.2(i)
EMEA EU NIS2 Annex	1.2.3 13.2.2(c) 2.1.1 2.2.1 2.2.2 2.3.3
EMEA Germany Banking Supervisory Requirements for IT (BAIT)	3.9 3.11 4.10 7.5

APAC (7)

Framework	Mapping Values
APAC Australia ISM June 2024	ISM-0718
APAC Australia Prudential Standard CPS230	30 58(a) 58(b) 58(c)
APAC India DPDPA 2023	10(2)(c)(ii)
APAC India SEBI CSCRF	GV.OV.S1
APAC Japan ISMAP	4.4.1.2 4.6 4.6.1.1 4.6.1.2 4.6.2 4.6.3 4.6.3.1 4.6.3.2 4.6.2.3 4.6.2.4 4.7 4.9 4.9.1 4.9.1.1 4.9.2 4.9.2.1 4.9.2.2
APAC New Zealand HISF 2022	HHSP46 HHSP75 HML12 HML46 HML75 HSUP10 HSUP38 HSUP65
APAC New Zealand HISF Suppliers 2023	HSUP10 HSUP38 HSUP65

Americas (2)

Framework	Mapping Values
Americas Canada OSFI B-13	1 1.1.2
Americas Canada ITSP-10-171	03.12.03

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to its cybersecurity and data protection program.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to its cybersecurity and data protection program.

Level 2 — Planned & Tracked

Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity and data privacy governance activities.
The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives of the security function, based on business requirements.
A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)).
No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel.
Compliance requirements for cybersecurity and data privacy are identified and documented.
Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework).
Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements.
Procedures are established for sensitive/regulated obligations, but are not standardized across the organization.
Documentation is made available to internal personnel.

Level 3 — Well Defined

Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
Controls are standardized across the organization to ensure uniformity and consistent execution.
Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
Risk management processes are defined, to include materiality considerations.

Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to its cybersecurity and data protection program.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to its cybersecurity and data protection program.

Assessment Objectives

GOV-01.2_A01 the executive steering committee, or advisory board, makes executive decisions about matters considered material to the organization's cybersecurity / data privacy program.

Evidence Requirements

E-CPL-05 Internal Audit (IA) Findings: Documented evidence of a centrally-managed and prioritized repository Internal Audit (IA) findings.
Compliance
E-CPL-09 Non-Compliance Oversight Reporting: Documented evidence of governance oversight reporting of non-compliance to the organization's executive leadership.
Compliance
E-GOV-03 Charter - Cybersecurity Steering Committee: Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of cybersecurity management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.
Cybersecurity & Data Protection Management
E-GOV-04 Charter - Data Privacy Steering Committee: Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of privacy management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.
Cybersecurity & Data Protection Management
E-GOV-05 Charter - Audit Committee: Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of internal and external audit management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.
Cybersecurity & Data Protection Management
E-GOV-06 Charter - Risk Committee: Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of risk management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.
Cybersecurity & Data Protection Management
E-GOV-07 Charter - Data Management Board (DMB): Documented evidence of the organization's Data Management Board (DMB) charter and mission.
Cybersecurity & Data Protection Management
E-GOV-13 Measures of Performance (Metrics): Documented evidence of formal measure of performance that are used to track the health of the cybersecurity & data protection program (e.g., metrics, KPIs, KRIs).
Cybersecurity & Data Protection Management

Technology Recommendations

Micro/Small

Quarterly Business Review (QBR)

Small

Quarterly Business Review (QBR)

Medium

Quarterly Business Review (QBR)

Large

Quarterly Business Review (QBR)

Enterprise

Quarterly Business Review (QBR)