G-7 FUNDAMENTAL ELEMENTS FOR EFFECTIVE ASSESSMENT
OF CYBERSECURITY IN THE FINANCIAL SECTOR
Executive Summary
Recognizing the continued pervasiveness of cyber risks and the need for sustained efforts to
enhance cybersecurity in the financial sector, the G-7 developed a set of fundamental
elements for the effective assessment of cybersecurity.
In October 2016, the G-7 published the G-7 Fundamental Elements of Cybersecurity for the
Financial Sector (‘G7FE’). The G7FE provide a set of effective cybersecurity practices
within private entities, public authorities, and the financial sector (‘entities’). They aim to
build greater financial system resilience by supporting private and public entities as they
design and implement cybersecurity policies and operating frameworks. The G7FE are nonbinding, high-level building blocks that provide the foundation for private and public entities,
as they develop their approach to cybersecurity, supported by their risk management and
culture.
The G-7 Fundamental Elements for Effective Assessment promote the effective practices
outlined in the G7FE by focusing on how well these practices are performed and assessed.
The G7FE will be most impactful if they are accompanied by a set of desirable outcomes
(Part A), and a process for their assessment and review (Part B). Specifically,
Part A describes five desirable outcomes that a mature entity would likely exhibit
and that less mature entities can aim for. The outcomes build on the G7FE, by
encouraging entities to continue developing their cybersecurity, and providing further
characteristics to assess the effectiveness of cybersecurity capabilities (the ‘what’).
Part B sets out five assessment components which assessors can use to develop their
approach to assessing progress as entities build and enhance their cybersecurity. The
components aim to promote the quality of cybersecurity assessments, to facilitate a
process of continuous improvement. They also provide confidence in the scope,
execution, and communication of assessment results. Together, they help the
assessment by describing the effectiveness of cybersecurity assessments (the ‘how’).
Desirable Outcomes
1. The Fundamental Elements (G7FE) are in place.
Assessment Components
1. Establish clear assessment objectives.
2. Cybersecurity influences organizational decision-making. 2. Set and communicate methodology and expectations.
3. There is an understanding that disruption will occur.
3. Maintain a diverse toolkit and process for tool selection.
4. An adaptive cybersecurity approach is adopted.
4. Report clear findings and concrete remedial actions.
5. There is a culture that drives secure behaviors.
5. Ensure assessments are reliable and fair.
The G-7 Fundamental Elements for Effective Assessment serve as tools to guide and drive
internal and external discussions on risk management decisions critical to cybersecurity. For
TLP WHITE: Subject to standard copyright rules, this document may be distributed freely, without restriction.