GOV-14: Business As Usual (BAU) Secure Practices
Mechanisms exist to incorporate cybersecurity and data protection principles into Business As Usual (BAU) practices through executive leadership involvement.
Control Question: Does the organization incorporate cybersecurity and data protection principles into Business As Usual (BAU) practices through executive leadership involvement?
General (8)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC1.1-POF1 CC5.3-POF1 |
| IMO Maritime Cyber Risk Management | 3.7 |
| ISO/SAE 21434 2021 | RQ-05-06 RC-05-10 |
| ISO 27701 2025 | 5.1 |
| ISO 42001 2023 | 5.1 |
| NAIC Insurance Data Security Model Law (MDL-668) | 4.D(2)(g) |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 4.0 |
| Shared Assessments SIG 2025 | K.1 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC Australia Prudential Standard CPS230 | 24 |
| APAC India SEBI CSCRF | GV.RR.S1 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 1.1.1 3.2.1 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to incorporate cybersecurity and data protection principles into Business As Usual (BAU) practices through executive leadership involvement.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to incorporate cybersecurity and data protection principles into Business As Usual (BAU) practices through executive leadership involvement.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to incorporate cybersecurity and data protection principles into Business As Usual (BAU) practices through executive leadership involvement.
Level 3 — Well Defined
Cybersecurity & Privacy Governance (GOV) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Statutory, regulatory and contractual compliance requirements for cybersecurity and data protection are identified and documented. Recurring testing is utilized to assess adherence to internal standards and/or external compliance requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides scoping guidance to determine control applicability.
- Internal policies and standards address all statutory, regulatory and contractual obligations for cybersecurity and data protection.
- Controls are standardized across the organization to ensure uniformity and consistent execution.
- Corporate governance (executive oversight) exists for the cybersecurity and data protection, which includes regular briefings to ensure executives have sufficient situational awareness to properly govern the organization.
- Procedures are established for sensitive/regulated compliance obligations that are standardized across the organization.
- Defined roles & responsibilities require data/process owners to define, implement and maintain cybersecurity and data protection controls for each system, application and/ or service of which they have accountability.
- The organization designates one or more qualified individuals to govern the cybersecurity and data protection programs (e.g., Chief Information Security Officer or Chief Privacy Officer).
- Risk management processes are defined, to include materiality considerations.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to incorporate cybersecurity and data protection principles into Business As Usual (BAU) practices through executive leadership involvement.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to incorporate cybersecurity and data protection principles into Business As Usual (BAU) practices through executive leadership involvement.
Assessment Objectives
- GOV-14_A01 the executive steering committee, or advisory board, directs organization leadership to incorporate cybersecurity / data privacy principles into Business As Usual (BAU) practices.
- GOV-14_A02 cybersecurity incidents are reviewed to identify incidents that occurred due to cybersecurity / data privacy principles not being adopted as Business As Usual (BAU) practices.
- GOV-14_A03 identified deficiencies of cybersecurity / data privacy principles not being adopted as Business As Usual (BAU) practices are tracked via a Plan of Action and Milestones (POA&M), or risk register, through remediation.
Technology Recommendations
Micro/Small
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)
Small
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)
Medium
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)
Large
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)
Enterprise
- ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)