GV.OC-01 Organizational Context - NIST CSF 2.0 Checklist

GV.OC-01 requires organizations to the organizational mission is understood and informs cybersecurity risk management. This NIST CSF 2.0 control falls under the Govern (GV) function and the Organizational Context category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: GV.OC-01
Title: Organizational Context
Function: Govern (GV)
Category: Organizational Context
Framework: NIST CSF 2.0

The organizational mission is understood and informs cybersecurity risk management.

The organizational mission is understood and informs cybersecurity risk management. Leadership defines the scope and boundaries of the cybersecurity program based on the organization's mission and stakeholder expectations.

Why This Matters

Without aligning cybersecurity to the organizational mission, security investments may not address the risks that matter most. Misalignment leads to wasted budgets and unprotected critical operations.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of GV.OC-01.

Document the organizational mission statement and strategic objectives
Identify key stakeholders and their cybersecurity expectations
Define the scope of the cybersecurity program relative to mission objectives
Map critical business processes to supporting technology assets
Review and update organizational context annually or after major changes

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with GV.OC-01 during an audit.

Documented mission statement referencing cybersecurity priorities
Stakeholder register with documented expectations
Cybersecurity program charter or scope document
Business process-to-asset mapping diagrams

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with GV.OC-01.

Cybersecurity program scope is never formally documented
Mission statement exists but does not reference risk or security obligations
No periodic review cycle to update organizational context

FAQ

What does GV.OC-01 require?

GV.OC-01 (Organizational Context) requires that the organizational mission is understood and informs cybersecurity risk management. Leadership defines the scope and boundaries of the cybersecurity program based on the organization's mission and stakeholder expectations. This control is part of the NIST CSF 2.0 Govern function under the Organizational Context category.

How do I prove compliance with GV.OC-01?

To demonstrate compliance with GV.OC-01, prepare the following evidence: Documented mission statement referencing cybersecurity priorities; Stakeholder register with documented expectations; Cybersecurity program charter or scope document. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment