Organizational cybersecurity policies, processes, and procedures are established and communicated (formerly ID.GV-1)
GV.PO-01: Policies, processes, and procedures for managing cybersecurity risks are established based on organizational context, risk management strategy, and priorities and are communicated (formerly ID.GV-1)
GV.PO-02:
The same policies used internally are applied to suppliers
GV.PO-03:
Policies and procedures are reviewed, updated, and communicated to reflect changes in requirements, threats, technology, and organizational mission