GOV-03: Periodic Review & Update of Cybersecurity & Data Protection Program

GOV 7 — High Govern

Mechanisms exist to review the cybersecurity and data protection program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

Control Question: Does the organization review the cybersecurity and data protection program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness?

General (39)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	CC2.2-POF7 CC5.3 CC5.3-POF6
BSI Standard 200-1	4.3 4.4 8.3 8.4
COBIT 2019	EDM01.01 EDM01.03 EDM05.01 APO02.02 APO13.03
COSO 2017	Principle 12
CSA CCM 4	A&A-01 AIS-01 BCR-01 CCC-01 CEK-01 DCS-01 DCS-02 DCS-03 DCS-04 DSP-01 GRC-01 GRC-02 GRC-03 HRS-01 HRS-02 HRS-03 HRS-04 IAM-01 IAM-02 IPY-01 IVS-01 LOG-01 SEF-01 SEF-02 STA-01 TVM-01 TVM-02 UEM-01
ENISA 2.0	SO1
Generally Accepted Privacy Principles (GAPP)	8.2.1
GovRAMP Low	AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 RA-01 SA-01 SC-01 SI-01
GovRAMP Low+	AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 RA-01 SA-01 SC-01 SI-01
GovRAMP Moderate	AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 RA-01 SA-01 SC-01 SI-01
GovRAMP High	AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PS-01 RA-01 SA-01 SC-01 SI-01
ISO/SAE 21434 2021	RQ-05-08
ISO 27001 2022 (source)	7.5.2 7.5.2(a) 7.5.2(b) 7.5.2(c)
ISO 27002 2022	5.1 5.37
ISO 27017 2015	5.1.2
ISO 42001 2023	7.5.2 A.2.4
MPA Content Security Program 5.1	OP-2.0
NIST Privacy Framework 1.0	GV.MT-P2
NIST 800-53 R4	PM-1
NIST 800-53 R5 (source)	AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PM-1 PS-1 PT-1 RA-1 SA-1 SC-1 SI-1 SR-1
NIST 800-53 R5 (NOC) (source)	PM-1
NIST 800-161 R1	AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PS-1 PT-1 RA-1 SA-1 SC-1 SI-1 SR-1
NIST 800-171 R3 (source)	03.15.01.b 03.15.03.d
NIST 800-171A R3 (source)	A.03.15.01.ODP[01] A.03.15.01.b[01] A.03.15.01.b[02]
NIST CSF 2.0 (source)	GV.OV GV.OV-01 GV.OV-02 GV.PO-02
PCI DSS 4.0.1 (source)	1.1.1 2.1.1 3.1.1 4.1.1 5.1.1 6.1.1 7.1.1 8.1.1 9.1.1 10.1.1 11.1.1 12.1 12.1.1 12.1.2
PCI DSS 4.0.1 SAQ A-EP (source)	12.1.1 12.1.2
PCI DSS 4.0.1 SAQ B (source)	12.1.1 12.1.2
PCI DSS 4.0.1 SAQ B-IP (source)	9.1.1 12.1.1 12.1.2
PCI DSS 4.0.1 SAQ C (source)	9.1.1 10.1.1 12.1.1 12.1.2
PCI DSS 4.0.1 SAQ C-VT (source)	9.1.1 12.1.1 12.1.2
PCI DSS 4.0.1 SAQ D Merchant (source)	9.1.1 10.1.1 11.1.1 12.1.1 12.1.2
PCI DSS 4.0.1 SAQ D Service Provider (source)	9.1.1 10.1.1 11.1.1 12.1.1 12.1.2
PCI DSS 4.0.1 SAQ P2PE (source)	9.1.1 12.1.1 12.1.2
TISAX ISA 6	1.5.1
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	GOV-03
SCF CORE ESP Level 1 Foundational	GOV-03
SCF CORE ESP Level 2 Critical Infrastructure	GOV-03
SCF CORE ESP Level 3 Advanced Threats	GOV-03

US (17)

Framework	Mapping Values
US CERT RMM 1.2	EF:SG2.SP1 EF:SG2.SP2 OPF:SG1.SP2 OPF:SG1.SP3 OPF:SG2.SP1
US CJIS Security Policy 5.9.3 (source)	5.2 5.3 5.4 5.5 5.6 5.8 5.9 MA-1
US CMS MARS-E 2.0	PM-1
US FERPA (source)	1232h
US GLBA CFR 314 2023 (source)	314.4(b) 314.4(g)
US HHS 45 CFR 155.260	155.260(a)(5)
US HIPAA Administrative Simplification 2013 (source)	164.316(b)(1)(ii) 164.316(b)(2)(iii)
US HIPAA Security Rule / NIST SP 800-66 R2 (source)	164.316(b)(1)(ii) 164.316(b)(2)(iii)
US HIPAA HICP Small Practice	10.S.A
US HIPAA HICP Large Practice	10.M.A
US IRS 1075	PM-1
US NERC CIP 2024 (source)	CIP-002-5.1a 2.1 CIP-002-5.1a 2.2 CIP-003-8 R1
US - AK PIPA	45.48.530
US - NY DFS 23 NYCRR500 2023 Amd 2	500.8(b)
US - NY SHIELD Act S5575B	4(2)(b)(ii)(A)(6)
US - TX DIR Control Standards 2.0	PM-1
US - VT Act 171 of 2018	2447(b)(8)(B) 2447(b)(9) 2447(b)(9)(A) 2447(b)(9)(B)

EMEA (15)

Framework	Mapping Values
EMEA EU EBA GL/2019/04	3.3.1(14)
EMEA EU NIS2 Annex	1.1.2 2.3.1 5.1.6 6.7.3
EMEA EU PSD2	3
EMEA Austria	Sec 14 Sec 15
EMEA Belgium	16
EMEA Germany Banking Supervisory Requirements for IT (BAIT)	4.2 4.8
EMEA Germany C5 2020	OIS-01 SP-02
EMEA Israel CDMO 1.0	1.1 5.2 9.1 10.1 11.2 13.1 14.1 15.1 17.1 18.1 21.1 22.1 24.1 25.1
EMEA Saudi Arabia IoT CGIoT-1 2024	1-1-4 1-2-3 1-4-6 1-8-3
EMEA Saudi Arabia ECC-1 2018	1-1-3 1-3-4 1-6-4 1-9-6 1-10-5 2-2-4 2-3-4 2-4-4 2-5-4 2-6-4 2-7-4 2-8-4 2-9-4 2-10-4 2-11-4 2-12-4 2-13-4 2-14-4 2-15-4 3-1-4 4-1-4 4-2-4 5-1-4
EMEA Saudi Arabia OTCC-1 2022	1-1-3
EMEA Spain BOE-A-2022-7191	27
EMEA Spain 311/2022	27
EMEA UK CAF 4.0	B1.a
EMEA UK DEFSTAN 05-138	2100 2101

APAC (8)

Framework	Mapping Values
APAC Australia ISM June 2024	ISM-1617
APAC Australia Prudential Standard CPS234	19
APAC India SEBI CSCRF	GV.PO.S2 GV.PO.S3 GV.PO.S4
APAC Japan ISMAP	4.5.3 4.5.3.1 4.6 4.6.2 4.6.2.1 4.7 4.8.2 4.8.2.1 4.8.2.2 5.1.2
APAC New Zealand HISF 2022	HHSP67 HML66 HSUP58
APAC New Zealand HISF Suppliers 2023	HSUP58
APAC New Zealand NZISM 3.6	5.1.14.C.01 5.1.21.C.01 5.1.21.C.02
APAC Singapore MAS TRM 2021	3.2.2

Americas (2)

Framework	Mapping Values
Americas Canada OSFI B-13	1 1.3.1
Americas Canada ITSP-10-171	03.15.01.B 03.15.03.D

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to review the cybersecurity and data protection program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

Level 1 — Performed Informally

Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

No formal cybersecurity and/ or data privacy principles are identified for the organization.
No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.
Governance efforts are narrowly-limited to certain compliance requirements.
Formal roles and responsibilities for cybersecurity and/ or data privacy may exist.
Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.
Basic cybersecurity policies and standards are documented [not based on any industry framework]
Basic procedures are established for important tasks, but are ad hoc and not formally documented.
Documentation is made available to internal personnel.
Organizational leadership maintains an informal process to review and respond to observed trends.
Documentation change control processes do not exist or are not formal.
People affected by documentation changes are provided notification of the policy and standard changes.
Informal recommendations are leveraged to update existing policies and standards.
Unstructured review of the cybersecurity and/ or data privacy program is performed on an annual basis.

Level 2 — Planned & Tracked

Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and formally governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure and compliant practices.
IT/cybersecurity personnel identify cybersecurity and data privacy controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity and data privacy governance activities.
The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives of the security function, based on business requirements.
A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)).
No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel.
Compliance requirements for cybersecurity and data privacy are identified and documented.
Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework).
Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements.
Procedures are established for sensitive/regulated obligations, but are not standardized across the organization.
Documentation is made available to internal personnel.
Formal documentation review process is performed on an annual basis.
Documentation review process includes the scope of applicable statutory, regulatory and contractual obligations.
Recommendations for documentation edits are submitted for review and are handled in accordance with documentation change control processes.
Updated documentation versions are published at least annually, based on the review process.
People affected by documentation changes are provided notification of the policy and standard changes.

Level 3 — Well Defined

Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
Controls are standardized across the organization to ensure uniformity and consistent execution.
Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data privacy controls for each system, application and/ or service of which they have accountability.
The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
Risk management processes are defined, to include materiality considerations.

Level 4 — Quantitatively Controlled

Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement.
Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data privacy controls, including functions performed by third-parties.
Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to review the cybersecurity and data protection program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

Assessment Objectives

GOV-03_A01 the frequency at which the policies and procedures for satisfying security requirements are reviewed and updated is defined.
GOV-03_A02 policies and procedures are reviewed / updated per an organization-defined frequency.
GOV-03_A03 events that would require the current cybersecurity / data privacy policies to be reviewed / updated are defined.
GOV-03_A04 policies and procedures are reviewed <A.03.15.01.ODP[01]: frequency>.
GOV-03_A05 policies and procedures are updated <A.03.15.01.ODP[01]: frequency>.

Evidence Requirements

E-GOV-12 Cybersecurity & Data Protection Policies & Standards Reviews: Documented evidence of a periodic review process for the organization's cybersecurity & data protection policies and standards to identify necessary updates.
Cybersecurity & Data Protection Management

Technology Recommendations

Micro/Small

Human reviews
Documentation change control

Small

Human reviews
Documentation change control

Medium

Human reviews
Documentation change control

Large

Human reviews
Documentation change control

Enterprise

Human reviews
Documentation change control