Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for an information governance program, which is sponsored by the leadership of the organization. Review and update the policies and procedures at least annually.
Establish a formal, documented, and leadership-sponsored Enterprise Risk Management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks.
Review all relevant organizational policies and associated procedures at least annually or when a substantial change occurs within the organization.
Establish and follow an approved exception process as mandated by the governance program whenever a deviation from an established policy occurs.
Develop and implement an Information Security Program, which includes programs for all the relevant domains of the CCM.
Define and document roles and responsibilities for planning, implementing, operating, assessing, and improving governance programs.
Identify and document all relevant standards, regulations, legal/contractual, and statutory requirements, which are applicable to your organization.
Establish and maintain contact with cloud-related special interest groups and other relevant entities in line with business context.