AuditRubric
gv-ov-1 high Govern / Oversight

Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy

Strategy without feedback loops drifts. Organizations that set a security strategy once and never revisit it accumulate outdated priorities and miss emerging risks. Regular outcome reviews close the loop between what you planned to achieve and what is actually happening, letting you course-correct before gaps become incidents.

Estimated effort: 4h
governanceoversightmetricsstrategyreview
Complete first: gv-rm-1

Implementation steps

  1. 1

    Define measurable outcomes for the cybersecurity strategy

    For each strategic priority, define one or two metrics that indicate progress. For example, if a priority is reducing vulnerability exposure, the metric might be mean time to remediation for critical vulnerabilities. If the priority is improving detection, it might be mean time to detect. Vague goals cannot be measured or reviewed.

    confluencenotiongoogle-sheets
  2. 2

    Review strategy outcomes at least quarterly

    Hold a quarterly review where the security owner presents current metrics against targets. Flag areas where progress is below expectations and propose adjustments. Include trend data rather than just current snapshots so the trajectory is visible.

    google-sheetstableaulookernotion
  3. 3

    Document decisions made from outcome reviews

    Record what was reviewed, what the data showed, and what decisions or adjustments were made as a result. This documentation demonstrates an active feedback loop and provides continuity when team members change.

    confluencenotion

Evidence required

Cybersecurity metrics and KPIs

A set of defined, measured metrics tied to the cybersecurity strategy that are reviewed on a regular cycle.

  • · Security metrics dashboard updated monthly
  • · Quarterly security scorecard presented to leadership
  • · OKR or KPI tracking document for the security program

Strategy review records

Records of at least quarterly reviews where cybersecurity strategy outcomes were assessed and acted upon.

  • · Board or executive meeting minutes with security agenda item
  • · Quarterly security review deck with prior decisions tracked
  • · Written summary of strategy review outcomes and adjustments

Related controls

gv-ov-2 high

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Oversight
gv-ov-3 medium

Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments

Oversight
gv-oc-1 high

The organizational mission is understood and informs cybersecurity risk management

Organizational Context
gv-po-2 high

The cybersecurity policy is reviewed and updated to reflect changes in requirements, threats, and technology

Policy