GV: Govern

Info icon.

Function is new to this version of the framework and incorporates the following item from the previous version: ID.GV: Governance.


The organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored

Framework Categories

GV.OC: Organizational Context

The circumstances – mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements – surrounding the organization's cybersecurity risk management decisions are understood

GV.RM: Risk Management Strategy

The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions

GV.PO: Policy

Organizational cybersecurity policy is established, communicated, and enforced

GV.OV: Oversight

Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy