What are Policies and Procedures (GV.PO)?

Organizational cybersecurity policies, processes, and procedures are established and communicated (formerly ID.GV-1)

GV.PO-01: Policies, processes, and procedures for managing cybersecurity risks are established based on organizational context, risk management strategy, and priorities and are communicated (formerly ID.GV-1)



The same policies used internally are applied to suppliers



Policies and procedures are reviewed, updated, and communicated to reflect changes in requirements, threats, technology, and organizational mission