GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
Ex1: Create, disseminate, and maintain an understandable, usable risk management policy with statements of management intent, expectations, and direction
Ex2: Periodically review policy and supporting processes and procedures to ensure that they align with risk management strategy objectives and priorities, as well as the high-level direction of the cybersecurity policy
Ex3: Require approval from senior management on policy
Ex4: Communicate cybersecurity risk management policy and supporting processes and procedures across the organization
Ex5: Require personnel to acknowledge receipt of policy when first hired, annually, and whenever policy is updated
Tier
Description
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced