Skip to main content

GOV-09: Define Control Objectives

GOV 5 — Medium Govern

Mechanisms exist to establish control objectives as the basis for the selection, implementation and management of the organization's internal control system.

Control Question: Does the organization establish control objectives as the basis for the selection, implementation and management of its internal control system?

General (13)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC2.1-POF1 CC2.2 CC2.2-POF1 CC2.2-POF7 CC3.1 CC3.1-POF1 CC3.1-POF15 CC3.1-POF8 CC3.1-POF9
BSI Standard 200-1 7 7.1
COBIT 2019 APO01.04 DSS06.01
ISO 27001 2022 (source) 4.1 4.2 4.2(b) 4.2(c) 5.2(b) 6.2 6.2(a) 6.2(b) 6.2(c) 6.2(d) 6.2(e) 6.2(f) 6.2(g) 6.2(h) 6.2(i) 6.2(j) 6.2(k) 6.2(l)
ISO 27017 2015 5.1
ISO 27701 2025 6.1.3(d)
ISO 42001 2023 5.1 6.2 8.1
NAIC Insurance Data Security Model Law (MDL-668) 4.D(2)
NIST CSF 2.0 (source) GV.SC-03
TISAX ISA 6 1.1.1 7.1.2
SCF CORE ESP Level 1 Foundational GOV-09
SCF CORE ESP Level 2 Critical Infrastructure GOV-09
SCF CORE ESP Level 3 Advanced Threats GOV-09
US (5)
Framework Mapping Values
US CERT RMM 1.2 CTRL:SG1.SP1
US FCA CRM 609.930(a) 609.930(c)(6)
US GLBA CFR 314 2023 (source) 314.3(b)(1) 314.3(b)(2) 314.3(b)(3)
US HIPAA Administrative Simplification 2013 (source) 164.306(b)(1) 164.308(a)(1)(ii)(B)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.306(b)(1) 164.308(a)(1)(ii)(B)
EMEA (4)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.2.1(5)(c)
EMEA EU NIS2 Annex 1.1.1(c)
EMEA Germany C5 2020 OIS-01 OIS-02
EMEA Saudi Arabia CSCC-1 2019 1-1
APAC (2)
Framework Mapping Values
APAC India SEBI CSCRF GV.OC.S1 GV.RM.S1
APAC Japan ISMAP 4.1 4.2 4.3 4.4 4.4.2 4.4.2.1 4.4.5.2
Americas (1)
Framework Mapping Values
Americas Canada OSFI B-13 1.2 2.1.1

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to establish control objectives as the basis for the selection, implementation and management of its internal control system

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to establish control objectives as the basis for the selection, implementation and management of its internal control system

Level 2 — Planned & Tracked

Cybersecurity & Privacy Governance (GOV) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Cybersecurity and data privacy governance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for cybersecurity and data privacy governance activities.
  • The Chief Information Officer (CIO), or similar function, analyzes the organization's business strategy and prioritizes the objectives of the security function, based on business requirements.
  • A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data privacy program (e.g., cybersecurity director or Chief Information Security Officer (CISO)).
  • No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing cybersecurity personnel.
  • Compliance requirements for cybersecurity and data privacy are identified and documented.
  • Cybersecurity policies and standards exist that are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, ISO 27002 or NIST Cybersecurity Framework).
  • Controls are assigned to sensitive/regulated assets to comply with specific compliance requirements.
  • Procedures are established for sensitive/regulated obligations, but are not standardized across the organization.
  • Documentation is made available to internal personnel.
  • IT and/ or cybersecurity personnel develop control objectives to implement and manage the organization's internal control system.
  • IT and/ or cybersecurity personnel develop plans to implement security-related objectives.
Level 3 — Well Defined

Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Statutory, regulatory and contractual compliance requirements for cybersecurity and data privacy are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
  • Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data privacy.
  • Controls are standardized across the organization to ensure uniformity and consistent execution.
  • Corporate governance (executive oversight) exists for the cybersecurity and data privacy, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
  • Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
  • Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
  • The organization designates one or more qualified individuals to govern the cybersecurity and data privacy programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
  • Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to establish control objectives as the basis for the selection, implementation and management of its internal control system

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to establish control objectives as the basis for the selection, implementation and management of its internal control system

Assessment Objectives

  1. GOV-09_A01 security and privacy-related control objectives are established as the basis for the selection, implementation and management of the organization's internal control system.

Evidence Requirements

E-GOV-10 Cybersecurity & Data Protection Controls

Documented evidence of an appropriately-scoped cybersecurity & data protection controls. Controls are technical, administrative or physical safeguards. Controls are the nexus used to manage risks through preventing, detecting or lessening the ability of a particular threat from negatively impacting business processes. Controls directly map to standards, since control testing is designed to measure specific aspects of how standards are actually implemented.

Cybersecurity & Data Protection Management

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free