Framework FAQs
      Back to home
      2. Framework FAQs

      CAF - A1.c Decision-making and approval

      This article provides additional information on how you can meet the requirement for the CAF control - A1.c Decision-making and approval

      Establish Senior Accountability

      • A member of the board should have overall accountability for the security of your company's  information, systems and networks.
      • Integrate cyber risks into board-level discussions, ensuring they are reviewed alongside financial, operational, and reputational risks.

      Define and Communicate Risk Appetite

      • Outline and communicate the company's risk appetite.  This is specified in the Risk Management Policy.

      Delegate Decision-Making Authority

      • Authority for operational security decisions—such as access changes, configuration approvals, supplier assessments, and incident response actions—is delegated to individuals with the appropriate expertise and role-based authority.
      • Adoptech platform, owners are explicitly assigned for risks, controls, compliance checks, policies, and tests, ensuring decisions are traceable and aligned with defined responsibilities.

      Implement Monitoring and Review Mechanisms

      • Set up regular reporting (e.g., quarterly risk reports and KPI results) to senior management.
      • Decisions are documented within Adoptech through updated risk treatments, control status changes, evidence submissions, and policy approvals.