The organizational mission is understood and informs cybersecurity risk management
Cybersecurity decisions that are disconnected from the organization's actual mission tend to be either over-engineered or dangerously under-resourced. When leadership explicitly links the organization's purpose and strategic goals to its security posture, risk decisions become grounded in what actually matters to the business. This context also helps security teams prioritize competing demands and explain trade-offs to non-technical stakeholders.
Implementation steps
- 1
Document the organizational mission and strategic objectives
Work with leadership to capture a clear mission statement and the top three to five strategic objectives that depend on information systems or data. This does not need to be a lengthy document, a one-page summary reviewed by the executive team is sufficient.
confluencenotiongoogle-docs - 2
Map security priorities to mission-critical functions
For each strategic objective, identify which systems, data, or processes are essential to delivering it. Use this mapping to rank security investments and inform your risk register so that the highest-impact assets receive the most attention.
jiraconfluencemiro - 3
Embed mission context into risk management documentation
Reference the mission statement and critical objectives explicitly in your risk policy, risk register, and security roadmap. Review this alignment at least annually or whenever the organization's strategy changes significantly.
confluencenotiongoogle-docs
Evidence required
Mission and strategic objectives document
A written artifact, approved by leadership, that states the organizational mission and identifies the strategic objectives that cybersecurity risk management should protect.
- · Board-approved mission statement with linked security priorities
- · Annual strategic plan with a cybersecurity alignment section
- · One-page executive summary mapping mission to risk focus areas
Risk management documentation referencing organizational mission
Evidence that the mission context has been incorporated into active risk management artifacts, not just stored as a standalone document.
- · Risk register with a mission-criticality column
- · Security roadmap document citing strategic objectives
- · Risk policy preamble referencing the organizational mission
Related controls
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
Organizational Context
Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated
Organizational Context
Outcomes, capabilities, and services that the organization depends on are understood and communicated
Organizational Context
Risk management objectives are established and agreed to by organizational stakeholders
Risk Management Strategy