The Berkeley Partnership LLP
20 Farringdon Street
9th Floor
London, EC4A 4AB
You understand the critical business services that create value for your organization, and you have identified/defined the critical processes, data and technology (applications and cloud/infrastructure assets) that underpin them.
Your cyber risk appetite is defined in specific, objective and measurable terms. For example, you have defined the levels of financial, operational, reputational and compliance-related impact that you’re prepared to tolerate.
Your enterprise-level cyber risks are defined in business-outcome terms, and you have a sensible number of cyber risks that are reported on. (Hint: One is too few to distinguish between the different outcomes possible from a cyber-attack, >10 is too many to digest and manage at the executive level).
You have clearly defined target risk positions for each of your cyber risks that are understood and endorsed by your senior leadership team (your executive team and Board).
You have a clearly defined and funded cyber strategy and roadmap that sets-out the major control remediation initiatives required to achieve your target risk positions, as well as how and when you will deliver them.
Your cyber strategy is explicitly linked to and incorporated within your organization’s business strategy.
The Berkeley Partnership LLP
20 Farringdon Street
9th Floor
London, EC4A 4AB