Executive Advisory
Building a Cybersecurity Governance Framework from Scratch
Simone Nogara
May 2025 · 8 min read
Many organisations — particularly those that have grown rapidly through acquisition or those operating in sectors not traditionally considered high-risk — find themselves without a coherent cybersecurity governance framework. Ad hoc technical controls may exist, but the governance layer that provides strategic direction, accountability, and assurance is absent.
The introduction of NIS2[1], the expanding scope of DORA[2], and increasing investor scrutiny of cybersecurity maturity have made governance frameworks an operational necessity rather than a compliance aspiration. Building one from scratch requires a structured approach that balances comprehensiveness with pragmatism — an overly ambitious programme that stalls in implementation is worse than a focused framework that delivers tangible governance improvement within months.
Establishing the Governance Structure
Governance begins with clear roles, responsibilities, and reporting lines. The first step is to define who is accountable for cybersecurity at each level of the organisation. At board level, this means either designating a board member with specific cybersecurity oversight responsibility or establishing a dedicated sub-committee of the board. Under NIS2, management bodies bear direct liability for cybersecurity, making this more than a matter of good practice.
Below the board, a cybersecurity steering committee should bring together senior representatives from IT, legal, risk, operations, and finance. This committee translates board-level risk appetite into operational policy, reviews security metrics, approves investment priorities, and escalates material issues to the board. Meeting cadence should be quarterly at minimum, with provision for emergency sessions following significant incidents or threat changes.
The operational layer requires a designated Chief Information Security Officer(CISO) or equivalent role with sufficient authority, budget, and access to senior management. For smaller organisations, a virtual CISO arrangement can provide the necessary expertise without the overhead of a full-time executive hire. The critical requirement is that the function has a reporting line independent of IT operations to avoid conflicts of interest.
Designing the Policy Hierarchy
A well-structured policy hierarchy typically comprises three levels. At the top, an information security policy sets out the organisation's overarching commitment to cybersecurity, defines scope, establishes principles, and assigns high-level accountabilities. This document should be approved by the board and reviewed annually. It should be concise — no more than five to eight pages — and written in language accessible to non-technical stakeholders.
The second tier comprises domain-specific standards that address particular areas of cybersecurity: access management, data classification, incident response, business continuity, third-party risk management, and network security. Each standard should define mandatory requirements, reference applicable regulations and industry frameworks, and specify the roles responsible for implementation and compliance verification.
The third tier consists of operational procedures and guidelines that provide step-by-step instructions for implementing the standards. These are living documents maintained by the operational security team and updated as systems, tools, and threats evolve. The separation between standards (what must be done) and procedures (how to do it) enables governance stability while allowing operational flexibility.
Conducting the Initial Risk Assessment
The governance framework must be grounded in a thorough understanding of the organisation's risk landscape. The initial risk assessment should identify critical assets (systems, data, and processes essential to business operations), map threats relevant to the organisation's sector and operating model, evaluate existing controls, and quantify residual risk.
Adopt a methodology aligned with recognised standards — ISO 27005 provides a comprehensive framework, while NIST SP 800-30 offers a more prescriptive approach. The methodology should produce a risk register that ranks identified risks by likelihood and impact, assigns ownership to specific individuals, and documents treatment decisions (accept, mitigate, transfer, or avoid). The risk register becomes the foundation for investment prioritisation and board reporting.
Avoid the temptation to assess every conceivable risk in the initial exercise. Focus on the most material exposures — those that could cause significant financial loss, regulatory sanction, or operational disruption. A pragmatic initial assessment covering the top twenty to thirty risks is more valuable than an exhaustive catalogue that overwhelms the organisation's capacity to respond.
Establishing Board Reporting Mechanisms
Effective board reporting on cybersecurity requires a format that conveys meaningful information without overwhelming non-specialist directors. The reporting pack should include a risk dashboard summarising the current threat landscape and any changes since the last report, the status of key risk indicators, material incidents and near-misses, and compliance posture against applicable regulations.
Metrics should be carefully selected to provide genuine insight rather than false assurance. Avoid vanity metrics such as the number of blocked attacks (which conveys little about actual risk). Instead, report on metrics that reflect governance effectiveness: percentage of critical systems covered by the security programme, mean time to detect and respond to incidents, patch compliance rates for critical vulnerabilities, third-party risk assessment completion rates, and employee security awareness training coverage.
The reporting cadence should align with board meeting schedules — typically quarterly — with provision for ad hoc reporting of material incidents. Each report should conclude with clear decisions required from the board: risk acceptance recommendations, investment approvals, or policy endorsements. This ensures board engagement moves beyond passive receipt of information to active governance participation.
Aligning with ISO 27001
While formal ISO 27001 certification may not be an immediate objective, building the governance framework in alignment with the standard ensures credibility with stakeholders, simplifies future certification, and provides a comprehensive control catalogue against which to assess maturity. The 2022 revision of ISO 27001 organises controls into four themes: organisational, people, physical, and technological — a structure that maps naturally to the governance framework described above.
Prioritise implementation of the organisational controls first, as these underpin the entire framework: information security policies, defined roles and responsibilities, threat intelligence, asset management, access control policies, and supplier relationship security. Technical controls should follow, guided by the risk assessment findings. Physical controls and people-focused controls (training, screening, terms of employment) complete the picture.
Maintain a Statement of Applicability from the outset, documenting which ISO 27001 Annex A controls are applicable, the rationale for any exclusions, and the current implementation status. This document serves as both a governance tool and a readiness indicator for eventual certification. It also provides a clear, structured basis for reporting security maturity to investors, regulators, and counterparties during due diligence processes.