GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: ID.GV-1: Organizational cybersecurity policy is established and communicated.


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Create, disseminate, and maintain an understandable, usable risk management policy with statements of management intent, expectations, and direction

Ex2: Periodically review policy and supporting processes and procedures to ensure that they align with risk management strategy objectives and priorities, as well as the high-level direction of the cybersecurity policy

Ex3: Require approval from senior management on policy

Ex4: Communicate cybersecurity risk management policy and supporting processes and procedures across the organization

Ex5: Require personnel to acknowledge receipt of policy when first hired, annually, and whenever policy is updated