Governance Policy
Establish and maintain cybersecurity governance policies and procedures.
9 of 9 frameworks cover this control
Framework Mappings
How Governance Policy maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | GV.OC-01 GV.PO-01 |
| ISO 27001 | Covered | A.5.1 A.5.2 |
| CIS v8 | Covered | CIS 1.1 |
| SOC 2 | Covered | CC1.1 CC1.2 CC1.3 |
| PCI DSS | Covered | 12.1.1 12.1.2 |
| CMMC | Covered | CA.L2-3.12.1 CA.L2-3.12.4 |
| 800-53 | Covered | PL-1 PM-1 |
| HIPAA | Covered | §164.308(a)(1)(i) §164.316(a) |
| GDPR | Covered | Art.5(2) Art.24(1) Art.24(2) |
About Governance Policy
Governance Policy is a cybersecurity control in the Govern domain. Establish and maintain cybersecurity governance policies and procedures. Cybersecurity governance policies form the foundation of an organization's security program, defining the rules, standards, and expectations for how cybersecurity risks are managed. Effective governance includes establishing clear ownership, defining acceptable use policies, and creating a framework for decision-making that aligns security objectives with business goals. Organizations should review and update governance policies at least annually or whenever significant changes occur in the threat landscape or business operations.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.