Business Environment
Understand the organization's mission, stakeholders, and criticality.
7 of 9 frameworks cover this control
Framework Mappings
How Business Environment maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | ID.BE-01 |
| ISO 27001 | Covered | A.5.1 |
| CIS v8 | Not Covered | — |
| SOC 2 | Covered | CC1.1 CC1.2 |
| PCI DSS | Covered | 12.1.1 |
| CMMC | Not Covered | — |
| 800-53 | Covered | PM-7 PM-11 |
| HIPAA | Covered | §164.308(a)(1)(i) |
| GDPR | Covered | Art.35(7)(b) |
About Business Environment
Business Environment is a cybersecurity control in the Identify domain. Understand the organization's mission, stakeholders, and criticality. Understanding the business environment ensures that cybersecurity priorities align with the organization's mission, critical functions, and stakeholder expectations. This involves identifying key business processes, mapping dependencies between IT systems and business operations, and determining which assets are most critical to organizational success. A clear understanding of business context enables security teams to make informed decisions about risk tolerance, resource allocation, and which systems require the highest levels of protection.
This control is recognized by 7 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR. It is not covered by CIS v8, CMMC, representing a potential gap for organizations relying solely on those frameworks.