Original format: xlsx
Primary sheet: Sheet1
CSV companion: CSF 2.0-Implementation_Examples.csv
| Function | Category | Subcategory | Implementation Examples |
|---|---|---|---|
| GOVERN (GV): The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored | Organizational Context (GV.OC): The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity risk management decisions are understood | nan | nan |
| nan | nan | GV.OC-01: The organizational mission is understood and informs cybersecurity risk management | Ex1: Share the organization’s mission (e.g., through vision and mission statements, marketing, and service strategies) to provide a basis for identifying risks that may impede that mission |
| nan | nan | GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | Ex1: Identify relevant internal stakeholders and their cybersecurity-related expectations (e.g., performance and risk expectations of officers, directors, and advisors; cultural expectations of employees) |
| nan | nan | nan | Ex2: Identify relevant external stakeholders and their cybersecurity-related expectations (e.g., privacy expectations of customers, business expectations of partnerships, compliance expectations of regulators, ethics expectations of society) |
| nan | nan | GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed | Ex1: Determine a process to track and manage legal and regulatory requirements regarding protection of individuals’ information (e.g., Health Insurance Portability and Accountability Act, California Consumer Privacy Act, General Data Protection Regulation) |
| nan | nan | nan | Ex2: Determine a process to track and manage contractual requirements for cybersecurity management of supplier, customer, and partner information |
| nan | nan | nan | Ex3: Align the organization’s cybersecurity strategy with legal, regulatory, and contractual requirements |
| nan | nan | GV.OC-04: Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated | Ex1: Establish criteria for determining the criticality of capabilities and services as viewed by internal and external stakeholders |
| nan | nan | nan | Ex2: Determine (e.g., from a business impact analysis) assets and business operations that are vital to achieving mission objectives and the potential impact of a loss (or partial loss) of such operations |
| nan | nan | nan | Ex3: Establish and communicate resilience objectives (e.g., recovery time objectives) for delivering critical capabilities and services in various operating states (e.g., under attack, during recovery, normal operation) |
| nan | nan | GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated | Ex1: Create an inventory of the organization’s dependencies on external resources (e.g., facilities, cloud-based hosting providers) and their relationships to organizational assets and business functions |
| nan | nan | nan | Ex2: Identify and document external dependencies that are potential points of failure for the organization’s critical capabilities and services, and share that information with appropriate personnel |
| nan | Risk Management Strategy (GV.RM): The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions | nan | nan |
| nan | nan | GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders | Ex1: Update near-term and long-term cybersecurity risk management objectives as part of annual strategic planning and when major changes occur |
| nan | nan | nan | Ex2: Establish measurable objectives for cybersecurity risk management (e.g., manage the quality of user training, ensure adequate risk protection for industrial control systems) |
| nan | nan | nan | Ex3: Senior leaders agree about cybersecurity objectives and use them for measuring and managing risk and performance |
| nan | nan | GV.RM-02: Risk appetite and risk tolerance statements are established, communicated, and maintained | Ex1: Determine and communicate risk appetite statements that convey expectations about the appropriate level of risk for the organization |
| nan | nan | nan | Ex2: Translate risk appetite statements into specific, measurable, and broadly understandable risk tolerance statements |
| nan | nan | nan | Ex3: Refine organizational objectives and risk appetite periodically based on known risk exposure and residual risk |
| nan | nan | GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes | Ex1: Aggregate and manage cybersecurity risks alongside other enterprise risks (e.g., compliance, financial, operational, regulatory, reputational, safety) |
| nan | nan | nan | Ex2: Include cybersecurity risk managers in enterprise risk management planning |
| nan | nan | nan | Ex3: Establish criteria for escalating cybersecurity risks within enterprise risk management |
| nan | nan | GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated | Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various classifications of data |
| nan | nan | nan | Ex2: Determine whether to purchase cybersecurity insurance |
| nan | nan | nan | Ex3: Document conditions under which shared responsibility models are acceptable (e.g., outsourcing certain cybersecurity functions, having a third party perform financial transactions on behalf of the organization, using public cloud-based services) |
| nan | nan | GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties | Ex1: Determine how to update senior executives, directors, and management on the organization’s cybersecurity posture at agreed-upon intervals |
| nan | nan | nan | Ex2: Identify how all departments across the organization — such as management, operations, internal auditors, legal, acquisition, physical security, and HR — will communicate with each other about cybersecurity risks |
| nan | nan | GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated | Ex1: Establish criteria for using a quantitative approach to cybersecurity risk analysis, and specify probability and exposure formulas |
| nan | nan | nan | Ex2: Create and use templates (e.g., a risk register) to document cybersecurity risk information (e.g., risk description, exposure, treatment, and ownership) |
| nan | nan | nan | Ex3: Establish criteria for risk prioritization at the appropriate levels within the enterprise |
| nan | nan | nan | Ex4: Use a consistent list of risk categories to support integrating, aggregating, and comparing cybersecurity risks |
| nan | nan | GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions | Ex1: Define and communicate guidance and methods for identifying opportunities and including them in risk discussions (e.g., strengths, weaknesses, opportunities, and threats [SWOT] analysis) |
| nan | nan | nan | Ex2: Identify stretch goals and document them |
| nan | nan | nan | Ex3: Calculate, document, and prioritize positive risks alongside negative risks |
| nan | Roles, Responsibilities, and Authorities (GV.RR): Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated | nan | nan |
| nan | nan | GV.RR-01: Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving | Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in developing, implementing, and assessing the organization’s cybersecurity strategy |
| nan | nan | nan | Ex2: Share leaders’ expectations regarding a secure and ethical culture, especially when current events present the opportunity to highlight positive or negative examples of cybersecurity risk management |
| nan | nan | nan | Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity risk strategy and review and update it at least annually and after major events |
| nan | nan | nan | Ex4: Conduct reviews to ensure adequate authority and coordination among those responsible for managing cybersecurity risk |
| nan | nan | GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced | Ex1: Document risk management roles and responsibilities in policy |
| nan | nan | nan | Ex2: Document who is responsible and accountable for cybersecurity risk management activities and how those teams and individuals are to be consulted and informed |
| nan | nan | nan | Ex3: Include cybersecurity responsibilities and performance requirements in personnel descriptions |
| nan | nan | nan | Ex4: Document performance goals for personnel with cybersecurity risk management responsibilities, and periodically measure performance to identify areas for improvement |
| nan | nan | nan | Ex5: Clearly articulate cybersecurity responsibilities within operations, risk functions, and internal audit functions |
| nan | nan | GV.RR-03: Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies | Ex1: Conduct periodic management reviews to ensure that those given cybersecurity risk management responsibilities have the necessary authority |
| nan | nan | nan | Ex2: Identify resource allocation and investment in line with risk tolerance and response |
| nan | nan | nan | Ex3: Provide adequate and sufficient people, process, and technical resources to support the cybersecurity strategy |
| nan | nan | GV.RR-04: Cybersecurity is included in human resources practices | Ex1: Integrate cybersecurity risk management considerations into human resources processes (e.g., personnel screening, onboarding, change notification, offboarding) |
| nan | nan | nan | Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training, and retention decisions |
| nan | nan | nan | Ex3: Conduct background checks prior to onboarding new personnel for sensitive roles, and periodically repeat background checks for personnel with such roles |