- The board of director has a fiduciary duty to ensure that the company and management have implemented adequate controls to mitigate risk to the organisations business operations and response to cybersecurity incidents.
- on regular basis, the board should receive reports on cybersecurity activities and the risk associated with them, metric on IT performance and efforts taken by management to monitor and mitigate risk.
- The board should assess the adequacy of the resources devoted to policies addressing cybersecurity, support required, and sufficiency of controls in place regarding [protection of data, compliance and education efforts.
- It should also review the measures taken by management to prevent cyberrisk.
The ISO 27000 series is the main standard used in organisations and the standard ISO/IEC 27014:2020 addresses the governance of information security and sets out the responsibilities of the Board in four governance processes; Evaluate, direct, monitor and communication.