What is this standard about?
Organizations need to protect themselves and their stakeholders from the consequences of cyber-related failures and errors as well as malicious cyberattacks.
At the same time, there’s an increasing need for organizations to demonstrate to stakeholders that their operations and processes are protected, particularly since organizations are now held accountable by regulation and society in general.
This standard therefore exists to improve top management’s strategic understanding of the risks associated with IT activities and support decision making that ensures good cyber resilience.
Who is this standard for?
This standard is written in user-friendly, non-technical language for all types and sizes of organization. However it’s particularly targeted at:
- Governing bodies
- Executive management
- Risk management professionals
- Information technology professionals
Why should you use this standard?
It provides good practice for boards, senior executives and risk managers on cyber risk management by describing what cyber risk is and how to identify, assess, and mitigate these risks within the organization’s overall risk management framework.
It provides strategic insight and guidance on where to focus to ensure that cyber resilience is built in across all levels and functions of the organization.
It provides management with an improved business understanding of the risks associated with information technology activities and supports effective decision-making.
It also helps the organization demonstrate to external stakeholders and interested parties that its cyber security provisions are effective, resilient and mature.
A key factor is that cyber risk is not limited to the IT department but impacts the entire organization. So the standard is applicable to all subject areas, focusing on risk, resilience and information security rather than just on technology aspects.