GOV-04.1: Stakeholder Accountability Structure
Mechanisms exist to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks.
Control Question: Does the organization enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks?
General (14)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC1.2-POF1 CC1.3 CC1.3-POF1 CC1.3-POF2 CC1.3-POF3 CC1.3-POF4 CC1.3-POF5 CC1.3-POF6 CC1.5-POF1 CC5.3-POF2 |
| IMO Maritime Cyber Risk Management | 3.3 3.5.1.2 |
| ISO 27701 2025 | 5.1 5.3(a) |
| ISO 42001 2023 | 5.1 A.3 |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 1.3 GOVERN 2.0 GOVERN 2.1 GOVERN 5.0 MANAGE 2.4 |
| NIST 800-218 | PO.2.3 |
| NIST CSF 2.0 (source) | GV.RM-05 GV.RR-01 |
| Shared Assessments SIG 2025 | R.6 |
| TISAX ISA 6 | 1.2.1 1.2.2 1.2.4 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | GOV-04.1 |
| SCF CORE ESP Level 1 Foundational | GOV-04.1 |
| SCF CORE ESP Level 2 Critical Infrastructure | GOV-04.1 |
| SCF CORE ESP Level 3 Advanced Threats | GOV-04.1 |
| SCF CORE AI Model Deployment | GOV-04.1 |
US (3)
| Framework | Mapping Values |
|---|---|
| US CISA CPG 2022 | 1.B 1.C |
| US SEC Cybersecurity Rule | 17 CFR 229.106(c)(1) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.4(b) 500.4(b)(6) |
EMEA (5)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 17.1(m) |
| EMEA EU EBA GL/2019/04 | 3.3.1(11) 3.7.5(91) |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 4.5 4.6 4.10 |
| EMEA UK CAF 4.0 | A1.b |
| EMEA UK DEFSTAN 05-138 | 1101 1103 |
APAC (4)
| Framework | Mapping Values |
|---|---|
| APAC Australia Prudential Standard CPS230 | 21 |
| APAC India SEBI CSCRF | GV.RR.S1 GV.RR.S2 |
| APAC New Zealand HISF 2022 | HHSP21 HHSP27 HML21 HML27 HSUP19 HSUP23 |
| APAC New Zealand HISF Suppliers 2023 | HSUP19 HSUP23 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 1 1.1 1.1.1 1.1.2 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks.
Level 3 — Well Defined
Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
- Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
- Controls are standardized across the organization to ensure uniformity and consistent execution.
- Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
- Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
- Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
- The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
- Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks.
Assessment Objectives
- GOV-04.1_A01 the cybersecurity / data privacy governance program includes the identification and assignment of roles.
- GOV-04.1_A02 the cybersecurity / data privacy governance program includes the identification and assignment of responsibilities.
Evidence Requirements
- E-HRS-15 Organization Chart
-
Current and accurate organization chart that depicts logical staff hierarchies.
Human Resources
Technology Recommendations
Micro/Small
- Documented roles and responsibilities
Small
- Documented roles and responsibilities
Medium
- Documented roles and responsibilities
Large
- Documented roles and responsibilities
Enterprise
- Documented roles and responsibilities