AuditRubric
gv-ov-2 high Govern / Oversight

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Organizational requirements shift: new products launch, regulations change, the business enters new markets, and the threat landscape evolves. A strategy that was appropriate twelve months ago may leave critical gaps today. Scheduled strategy reviews, and unscheduled reviews triggered by significant changes, keep the security program aligned with what the organization actually needs.

Estimated effort: 4h
governanceoversightstrategyrisk-managementreview
Complete first: gv-ov-1

Implementation steps

  1. 1

    Conduct an annual strategy review against current requirements

    Once a year, revisit the cybersecurity strategy by reviewing: new or changed regulatory requirements, changes in the business's operating environment, new or discontinued products and services, significant changes to the technology stack, and lessons from incidents in the past year. Identify gaps between current strategy coverage and current requirements.

    confluencenotion
  2. 2

    Update the strategy to address identified gaps

    For each gap identified in the review, propose a strategy update. Get executive sign-off on material changes. Update the risk register to reflect any new risks the strategy adjustment is designed to address.

    confluencenotion
  3. 3

    Communicate strategy updates to the security team and stakeholders

    After the strategy is updated, brief the security team on what changed and why. For changes that affect other teams (for example, new requirements on engineering teams), communicate those changes through appropriate channels and allow time for adjustment.

    slackconfluencenotion

Evidence required

Annual strategy review documentation

A record of at least one annual review where the cybersecurity strategy was evaluated against current organizational requirements.

  • · Annual security program review document with gap analysis
  • · Strategy update memo approved by CISO or equivalent
  • · Risk register showing strategy-driven updates from the annual review

Updated cybersecurity strategy document

A current version of the cybersecurity strategy document with a recent review date.

  • · Security strategy document with version date within the past 12 months
  • · Security roadmap updated following the annual review
  • · Board presentation showing updated strategy with prior version comparison

Related controls

gv-ov-1 high

Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy

Oversight
gv-ov-3 medium

Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments

Oversight
gv-rm-1 critical

Risk management objectives are established and agreed to by organizational stakeholders

Risk Management Strategy
gv-rm-2 critical

Risk appetite and risk tolerance statements are established, communicated, and maintained

Risk Management Strategy