Is there a documented cybersecurity strategy that aligns with business objectives and is reviewed annually by leadership?
Demonstrate that a documented cybersecurity strategy exists, explicitly references business objectives, receives annual executive review and approval, and drives security program planning and resource allocation decisions.
Description
What this control does
This control ensures the organization maintains a formally documented cybersecurity strategy that directly supports and aligns with enterprise business objectives, risk appetite, and operational priorities. The strategy must be reviewed and approved at least annually by executive leadership or the board to ensure continued relevance as business conditions, threat landscapes, and regulatory requirements evolve. This governance mechanism bridges the gap between technical security operations and strategic business decision-making, ensuring cybersecurity investments and priorities remain synchronized with organizational goals.
Control objective
What auditing this proves
Demonstrate that a documented cybersecurity strategy exists, explicitly references business objectives, receives annual executive review and approval, and drives security program planning and resource allocation decisions.
Associated risks
Risks this control addresses
- Cybersecurity investments misaligned with business priorities result in wasted resources on low-impact controls while critical business assets remain underprotected
- Executive leadership makes strategic business decisions without understanding cybersecurity implications, creating unforeseen security debt and exposures
- Outdated strategy documents fail to address emerging threats such as ransomware-as-a-service or supply chain attacks relevant to current business operations
- Lack of leadership engagement prevents allocation of sufficient budget and authority to implement necessary security controls during digital transformation initiatives
- Security program operates tactically without strategic direction, leading to reactive incident response rather than proactive risk management
- Regulatory compliance failures occur when cybersecurity strategy does not account for new legal obligations related to business expansion into regulated markets
- Merger and acquisition activities introduce security gaps because the strategy does not guide due diligence or integration security requirements
Testing procedure
How an auditor verifies this control
- Request the current cybersecurity strategy document and all versions from the past 24 months with version control metadata and approval signatures
- Review the strategy document to identify explicit references to documented business objectives, strategic initiatives, revenue streams, or risk appetite statements
- Verify the strategy addresses the organization's specific threat profile based on industry sector, geographic presence, data types handled, and technology stack
- Examine board meeting minutes, executive leadership meeting records, or audit committee minutes for evidence of annual strategy review discussions
- Obtain documentation of leadership approval such as signed approval memos, email confirmations from C-suite executives, or board resolutions accepting the strategy
- Interview the CISO or equivalent security leader to confirm how the strategy influences budget requests, staffing decisions, and security initiative prioritization
- Cross-reference the strategy against current-year security program plans, project roadmaps, and capital expenditure requests to validate operational alignment
- Review change management records or strategy update logs to confirm the document reflects recent business changes such as new product lines, acquisitions, or regulatory obligations