GOV-08: Defining Business Context & Mission
Mechanisms exist to define the context of its business model and document the organization's mission.
Control Question: Does the organization define the context of its business model and document the mission of the organization?
General (14)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC1.2-POF1 CC2.2-POF10 CC3.1-POF1 CC3.1-POF15 CC3.1-POF3 CC5.1-POF2 |
| COBIT 2019 | EDM05.01 EDM05.02 EDM05.03 APO01.01 APO01.02 APO01.03 APO01.04 APO01.06 APO02.01 APO02.05 APO08.01 APO08.02 APO08.03 APO08.04 APO08.05 |
| ISO 22301 2019 | 4.1 4.2 4.2.1 4.2.2 |
| ISO 27001 2022 (source) | 4.1 4.2(a) 4.3 5.1 |
| ISO 27701 2025 | 4.1 6.1.1 |
| ISO 42001 2023 | 6.2 |
| NIST AI 100-1 (AI RMF) 1.0 | MAP 1.3 |
| NIST Privacy Framework 1.0 | ID.IM-P5 ID.BE-P1 ID.BE-P2 GV.RM-P3 |
| NIST CSF 2.0 (source) | GV.OC GV.OC-01 GV.OC-04 GV.OV-01 GV.SC-03 |
| Shared Assessments SIG 2025 | B.1 |
| TISAX ISA 6 | 1.1.1 |
| SCF CORE ESP Level 1 Foundational | GOV-08 |
| SCF CORE ESP Level 2 Critical Infrastructure | GOV-08 |
| SCF CORE ESP Level 3 Advanced Threats | GOV-08 |
US (4)
| Framework | Mapping Values |
|---|---|
| US FCA CRM | 609.930(a) |
| US HIPAA Administrative Simplification 2013 (source) | 164.306(b)(2)(i) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.306(b)(2)(i) |
| US ITAR Part 120 | 120.13 120.17 |
EMEA (3)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.2.1(4) |
| EMEA EU NIS2 Annex | 1.1.1(b) |
| EMEA Saudi Arabia ECC-1 2018 | 1-1-1 |
APAC (1)
| Framework | Mapping Values |
|---|---|
| APAC Japan ISMAP | 4.4.2 4.4.2.1 4.4.3 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 1.2 2.1.1 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to define the context of its business model and document the mission of the organization.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to define the context of its business model and document the mission of the organization.
Level 2 — Planned & Tracked
Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity and data privacy governance activities.
- The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives of the security function, based on business requirements.
- A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)).
- No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel.
- Compliance requirements for cybersecurity and data privacy are identified and documented.
- Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework).
- Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements.
- Procedures are established for sensitive/regulated obligations, but are not standardized across the organization.
- Documentation is made available to internal personnel.
Level 3 — Well Defined
Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
- Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
- Controls are standardized across the organization to ensure uniformity and consistent execution.
- Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
- Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
- Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
- The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
- Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to define the context of its business model and document the mission of the organization.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to define the context of its business model and document the mission of the organization.
Assessment Objectives
- GOV-08_A01 the organization's mission is clearly defined and documented.
- GOV-08_A02 the organization's executive leadership defines and documents a formal business strategy that is used to provide operational guidance to key business leaders across the organization.
Evidence Requirements
- E-PRM-01 Cybersecurity Business Plan (CBP)
-
Documented evidence of a cybersecurity-specific business plan that documents a strategic plan and discrete objectives.
Resource Management