SAMMY UI is optimized for resolutions with a width 1024px and higher.
Cybersecurity Fundamentals
Browse Cybersecurity...
ID.GV-1 ID.GV-3 ID.GV-4
Maturity Level 1
Maturity Level 2
ID.GV-1.1
ID.GV-1.1: Policies and procedures for information security and cyber security shall be created, documented, reviewed, approved, and updated when changes occur.
  • Policies and procedures used to identify acceptable practices and expectations for business operations, can be used to train new employees on your information security expectations, and can aid an investigation in case of an incident. These policies and procedures should be readily accessible to employees.
  • Policies and procedures for information- and cybersecurity should clearly describe your expectations for protecting the organization’s information and systems, and how management expects the company’s resources to be used and protected by all employees.
  • Policies and procedures should be reviewed and updated at least annually and every time there are changes in the organization or technology. Whenever the policies are changed, employees should be made aware of the changes.
Documentation Maturity
Not applicable - Not applicable in the selected scope.
Level 1 - Initial - No Process documentation or not formally approved by management.
Level 2 - Repeatable - Formally approved Process documentation exists but not reviewed in the previous 2 years.
Level 3 - Defined - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 5% of the time.
Level 4 - Managed - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 3% of the time.
Level 5 - Optimizing - Formally approved Process documentation exists, and exceptions are documented and approved. Documented and approved exceptions < 0,5% of the time.
Implementation Maturity
Not applicable - Not applicable in the selected scope.
Level 1 - Initial - Standard process does not exist.
Level 2 - Repeatable - Ad-hoc process exists and is done informally.
Level 3 - Defined - Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Level 4 - Managed - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established. Less than 5% of process exceptions.
Level 5 - Optimizing - Formal process exists and is implemented. Evidence available for all activities. Detailed metrics of the process are captured and reported. Minimal target for metrics has been established and continually improving. Less than 1% of process exceptions.
Description

Policies and procedures for information security and cyber security shall be created, documented, reviewed, approved, and updated when changes occur.