Chapter 15 Internal Organization Context

Domenic Antonucci, Editor and Chief Risk Officer, Australia Bassam Alwarith, Head of the National Digitization Program, Ministry of Economy and Planning, Saudi Arabia

Cyber risk is an enterprise-wide risk, not just an IT risk. The cyber risk management system comes under the umbrella enterprise risk management system,” declared Nathan, the chief risk officer. Tom the CEO looked at Nathan and Grace, his head of human resources, both sitting in his office, and replied, “OK, but what does that mean? Our techies aren’t famous for dealing with the rest of the business. In your roles, both of you engage in stewardship and coordination, so tell me how we internally organize. I want to know which functions are accountable and responsible for what, as well as how they are to internally support, consult, and inform each other.”

The Internal Organization Context for Cybersecurity

There are several international standards and voluntary guidance code approaches to understanding internal organization context. They are voluntary, as they are not mandated by laws.

Standards and Guidance Approaches

One set of standards that can be adapted to cybersecurity is from ISO/IEC 27001:2013 Information Technology–Security Techniques–Information Security Management Systems–Requirements. It covers the essential components for the cybersecurity internal organization context from the perspective of its parent, the information security function. These cover management ...

Get The Cyber Risk Handbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.