GOV-05: Measures of Performance
Mechanisms exist to develop, report and monitor cybersecurity and data protection program measures of performance.
Control Question: Does the organization develop, report and monitor cybersecurity and data protection program measures of performance?
General (32)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC1.1-POF3 CC1.2 CC1.5 CC1.5-POF2 CC1.5-POF5 CC2.1-POF4 CC2.2 CC4.1 CC4.1-POF2 CC4.2-POF1 CC5.3-POF6 |
| BSI Standard 200-1 | 4.3 7.5 8.3 8.4 |
| COBIT 2019 | EDM01.03 EDM05.01 EDM05.03 APO02.02 MEA01.04 |
| COSO 2017 | Principle 2 Principle 5 Principle 14 Principle 16 Principle 19 Principle 20 |
| CSA CCM 4 | AIS-03 SEF-05 TVM-09 TVM-10 |
| ENISA 2.0 | SO11 S12 S13 S14 S15 |
| IMO Maritime Cyber Risk Management | 3.3 |
| ISO/SAE 21434 2021 | RQ-05-08 |
| ISO 22301 2019 | 9.1 |
| ISO 27001 2022 (source) | 9.1 9.1(a) 9.1(b) 9.1(c) 9.1(d) 9.1(e) 9.1(f) |
| ISO 27701 2025 | 9.1 |
| ISO 31000 2009 | 5.6 |
| ISO 42001 2023 | 5.1 9.3.2(d) 9.3.2(d)(1) 9.3.2(d)(2) 9.3.2(d)(3) |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 1.5 MAP 5.2 MEASURE 1.0 MEASURE 1.1 MEASURE 1.2 MEASURE 4.0 MEASURE 4.3 |
| NIST AI 600-1 | GV-1.3-002 MS-2.7-004 |
| NIST Privacy Framework 1.0 | GV.MT-P4 PR.PO-P5 PR.PO-P6 |
| NIST 800-37 R2 | M-5 |
| NIST 800-53 R4 | PM-6 |
| NIST 800-53 R5 (source) | PM-6 |
| NIST 800-53 R5 (NOC) (source) | PM-6 |
| NIST 800-160 | 3.3.7 3.3.8 |
| NIST 800-161 R1 | PM-6 |
| NIST 800-161 R1 Level 1 | PM-6 |
| NIST 800-161 R1 Level 2 | PM-6 |
| NIST 800-171 R3 (source) | 03.12.03 |
| NIST 800-207 | NIST Tenet 7 |
| NIST CSF 2.0 (source) | GV GV.OV GV.OV-01 GV.OV-03 GV.SC GV.SC-09 ID.IM-03 |
| TISAX ISA 6 | 1.2.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | GOV-05 |
| SCF CORE ESP Level 1 Foundational | GOV-05 |
| SCF CORE ESP Level 2 Critical Infrastructure | GOV-05 |
| SCF CORE ESP Level 3 Advanced Threats | GOV-05 |
US (12)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ASSET-5.E.MIL3 ASSET-5.F.MIL3 THREAT-3.F.MIL3 RISK-1.E.MIL2 RISK-5.F.MIL3 ACCESS-4.F.MIL3 SITUATION-4.F.MIL3 RESPONSE-5.F.MIL3 THIRD-PARTIES-3.F.MIL3 WORKFORCE-4.F.MIL3 ARCHITECTURE-5.F.MIL3 PROGRAM-3.F.MIL3 |
| US CERT RMM 1.2 | EF:SG4.SP2 EF:SG4.SP3 GG2.GP8 GG3.GP2 HRM:SG3.SP2 MA:SG1.SP1 MA:SG1.SP3 MA:SG1.SP4 MA:SG2.SP1 MA:SG2.SP2 MA:SG2.SP3 MON:SG1.SP1 MON:SG1.SP3 |
| US CMS MARS-E 2.0 | PM-6 |
| US FFIEC | D2.IS.Is.B.1 D2.IS.Is.E.2 |
| US HIPAA HICP Small Practice | 10.S.A |
| US HIPAA HICP Large Practice | 10.M.A |
| US NISPOM 2020 | 8-311 |
| US SOX | Sec 404 |
| US SSA EIESR 8.0 | 5.7 |
| US - MA 201 CMR 17.00 | 17.03(2)(j) |
| US - OR 646A | 622(2)(d)(A)(vi) 622(2)(d)(B)(iii) |
| US - TX DIR Control Standards 2.0 | PM-6 |
EMEA (7)
| Framework | Mapping Values |
|---|---|
| EMEA EU DORA | 13.4 |
| EMEA EU NIS2 | 21.2(f) |
| EMEA EU NIS2 Annex | 1.1.1(j) |
| EMEA EU PSD2 | 3 |
| EMEA Germany C5 2020 | COM-04 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-1-4 |
| EMEA Spain CCN-STIC 825 | 7.6.2 [OP.MON.2] |
APAC (6)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0724 |
| APAC India SEBI CSCRF | GV.OV.S3 GV.OV.S4 PR.IP.S10 |
| APAC Japan ISMAP | 4.6 4.6.1 4.6.2.1 |
| APAC New Zealand HISF 2022 | HHSP46 HML46 HSUP38 |
| APAC New Zealand HISF Suppliers 2023 | HSUP38 |
| APAC Singapore MAS TRM 2021 | 4.5.3 7.8.3 |
Americas (4)
| Framework | Mapping Values |
|---|---|
| Americas Bermuda BMACCC | 5.7 |
| Americas Canada CSAG | 6.9 |
| Americas Canada OSFI B-13 | 1 1.2 2.8.1 |
| Americas Canada ITSP-10-171 | 03.12.03 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to develop, report and monitor cybersecurity and data protection program measures of performance.
Level 1 — Performed Informally
Cybersecurity & Privacy Governance (GOV) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- No formal cybersecurity and/ or data privacy principles are identified for the organization.
- No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.
- Governance efforts are narrowly-limited to certain compliance requirements.
- Formal roles and responsibilities for cybersecurity and/ or data privacy may exist.
- Cybersecurity and data privacy governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.
- Basic cybersecurity policies and standards are documented [not based on any industry framework]
- Basic procedures are established for important tasks, but are ad hoc and not formally documented.
- Documentation is made available to internal personnel.
- Organizational leadership maintains an informal process to review and respond to observed trends.
Level 2 — Planned & Tracked
Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity and data protection governance activities.
- The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives of the security function, based on business requirements.
- A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data protection program (e.g., cybersecurity director or Chief Information Security Officer (CISO)).
- No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel.
- Compliance requirements for cybersecurity and data protection are identified and documented.
- Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework).
- Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements.
- Procedures are established for sensitive/regulated obligations, but are not standardized across the organization.
- Documentation is made available to internal personnel.
- Simple metrics exist to provide operational oversight of a limited scope of cybersecurity and data protection controls.
Level 3 — Well Defined
Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Statutory, regulatory and contractual compliance requirements for cybersecurity and data protection are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
- Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data protection.
- Controls are standardized across the organization to ensure uniformity and consistent execution.
- Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
- Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
- Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
- The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
- Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled
Cybersecurity & Privacy Governance (GOV) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics are developed that provide management insight, per a quantitative understanding of process capabilities, to predict optimal performance, ensure continued operations and identify areas for improvement.
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
Cybersecurity & Privacy Governance (GOV) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
- Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.
Assessment Objectives
- GOV-05_A01 cybersecurity / data privacy measures of performance are developed.
- GOV-05_A02 cybersecurity / data privacy measures of performance are monitored.
- GOV-05_A03 the results of cybersecurity / data privacy measures of performance are reported.
Evidence Requirements
- E-GOV-13 Measures of Performance (Metrics)
-
Documented evidence of formal measure of performance that are used to track the health of the cybersecurity & data protection program (e.g., metrics, KPIs, KRIs).
Cybersecurity & Data Protection Management
Technology Recommendations
Micro/Small
- Manually-generated metrics
Small
- Manually-generated metrics
- Governance, Risk & Compliance (GRC) solution
Medium
- Manually-generated metrics
- Governance, Risk & Compliance (GRC) solution
Large
- Manually-generated metrics
- Governance, Risk & Compliance (GRC) solution
Enterprise
- Manually-generated metrics
- Governance, Risk & Compliance (GRC) solution