cc1-2 High priority Security / Control Environment

Board or equivalent body oversees security risk

Someone at the governance level — a board, an audit committee, or a named executive — must formally own cybersecurity risk oversight. For most startups this is the CEO or a named board member. The requirement is not complex governance structures; it is that security risk is reviewed at the top of the organization on a defined cadence, decisions are documented, and that person can speak to what risks exist and what is being done about them.

4h estimated effort

governance board oversight risk

Complete first: cc1-1

Implementation steps

1

Assign a named security risk owner at the executive level

Document who at board or executive level is responsible for cybersecurity oversight. For startups this is typically the CEO or CTO. For companies with boards, designate a board member or audit committee to receive security updates. Put this in your security policy.

confluence notion
2

Establish a recurring security review cadence

Schedule at least quarterly reviews where the security posture, risk register, and significant incidents are presented to the oversight body. For boards, this can be part of an existing board meeting. Document the agenda and keep minutes or written summaries of each review.

notion google-docs confluence
3

Document oversight activities

Keep records of security reviews: who attended, what risks were discussed, what decisions were made, and any follow-up actions assigned. These records are what auditors will inspect. Board minutes, email summaries, or a security review log all qualify.

google-docs notion confluence