GOV-003 Management Commitment and Accountability
Description
Senior management actively sponsors and directs the information security program. This is evidenced by a named executive owner, security objectives included in organizational goals, and documented management review of security program status at defined intervals.
Rationale
Information security requires ongoing resource allocation and decision authority that only executive sponsorship can provide. Without it, the program lacks the mandate to enforce controls across business units.
Framework Mappings (5)
| 5.4 | Management responsibilities | full |
| PM-1 | Information Security Program Plan | partial |
| GOVERN 2.3 | Executive Leadership Accountability | partial |
| CC1.2 | COSO Principle 2: Exercises Oversight Responsibility | partial |
| CC1.5 | COSO Principle 5: Enforces Accountability | partial |
Evidence (2)
Management review meeting minutes or board/executive committee agenda showing security program status was reviewed by senior management at defined intervals.
Example: Board or executive team meeting minutes (Google Drive / board portal) from the most recent review cycle, with an agenda item for information security, attendance list including a C-level or equivalent, and documented outcomes.
Test: Request the last two management review meeting minutes that include a security agenda item. Verify: (1) a named executive-level attendee is recorded, (2) security program status or metrics were presented, (3) the review occurred within the defined interval (typically 12 months), (4) action items or decisions are documented.
Documented security objectives aligned to organizational goals, approved by senior management.
Example: Annual security objectives document (Confluence / OKR tool such as Lattice or Notion), showing named executive sponsor, approval date, and security goals mapped to organizational priorities.
Test: Request the current security objectives or OKR document. Verify: (1) security objectives are stated, (2) a named executive owner is identified, (3) objectives are dated within the current year or last review cycle, (4) there is a mechanism (meeting cadence, status updates) for tracking progress.
Questions (2)
Is your information security program sponsored by a named executive who is accountable for its direction and resources?
The sponsor should be a C-level executive or equivalent who is named in the security program documents and receives regular program status updates.
How frequently does senior management formally review the status of the information security program?
Management review meetings should produce documented minutes with security agenda items, attendance records, and action items. Annual is the typical minimum.