Question: Has the organization established a governing body or committee overseeing cybersecurity and privacy programmes?
Objective — Why This Matters
A cross-functional committee unblocks decisions across IT, Legal, HR, Ops, and Finance, and provides continuity when people change.
Maturity Levels (0–5)
0 — Unaware
No committee.
No committee.
1 — Ad Hoc
Group meets informally.
Group meets informally.
2 — Defined
Charter + quorum; monthly cycle.
Charter + quorum; monthly cycle.
3 — Managed
Agenda, minutes, action tracker.
Agenda, minutes, action tracker.
4 — Integrated
Links to ERM, internal audit, budget.
Links to ERM, internal audit, budget.
5 — Optimized
Effectiveness KPIs; annual review of charter.
Effectiveness KPIs; annual review of charter.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Identify members; draft charter and objectives. |
| 1 → 2 | Approve charter; schedule standing meetings. |
| 2 → 3 | Maintain agenda/minutes; track actions in a shared board. |
| 3 → 4 | Integrate risk, audit, and budget reviews. |
| 4 → 5 | Publish KPIs; refresh membership annually. |
People / Process / Technology Enablers
- People: Chair, secretary, function reps.
- Process: Agenda template; action register.
- Technology: Calendar with recurring invite; shared board.
Evidence Required
- Charter; membership list.
- Last 3 minutes; action log with closures.
Metrics / KPIs
- Attendance %; actions closed vs opened.
- Time to decision for escalations.
- Number of policy exceptions approved.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Minutes | Markdown in repo | PR = approval. |
| Actions | GitHub Projects | Kanban per meeting. |
| Calendar | Google Calendar | Recurring with agenda link. |
Common Pitfalls
- Committee exists only on paper.
- No quorum; decisions deferred.
- Minutes not stored/versioned.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | 5.3, 9.3 |
| NIRMATA Scoring | GL-Q09 requires active committee with evidence. |