This article provides additional information on how you can meet the requirement for the CAF control - A1.a Board direction
Establish clear board-level ownership for cyber security:
- Formally assign responsibility for cyber security to a named board member.
- Record this assignment in board minutes or terms of reference.
Demonstrate active, ongoing board engagement
The board (or a formally delegated committee with board members) must:
- Receive regular (at least quarterly) cyber security reports that include:
-
-
-
Current risk posture and key risk indicators
-
Progress against the cyber security objectives
-
Major incidents and lessons learned
-
-
- Record discussions and decisions in board/committee minutes (e.g., approving new investments, accepting or mitigating risks).
- Review cyber security budget and resource allocation.
Define and approve a Cyber Security / Information Security Policy Statement
This statement should be signed by a member of the board. The document should be reviewed and re-approved at least annually or after major incidents/changes.
Communicate the board’s expectations across the organisation
Direction must come from senior management. Examples include:-
-
Publishing the signed statement on the intranet, include it in staff induction packs, and sending it to staff on an annual basis.
-
The CEO sends an all-staff email/video annually reinforcing the board’s commitment.
-
Include cyber security as a standing agenda item in all-staff town halls.
-