0003485
ISO 37000:2021, Governance of organizations — Guidance, First Edition
International Organization for Standardization
International or National Standard
For Purchase
ISO 37000:2021
ISO 37000:2021, Governance of organizations — Guidance
2021-09-01
The document as a whole was last reviewed and released on 2022-06-29T00:00:00-0700.
0003485
For Purchase
International Organization for Standardization
International or National Standard
ISO 37000:2021
ISO 37000:2021, Governance of organizations — Guidance
2021-09-01
The document as a whole was last reviewed and released on 2022-06-29T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO 37000:2021, Governance of organizations — Guidance, First Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for ISO 37000:2021, Governance of organizations — Guidance, First Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5] | Business Processes | Preventive | |
Document consumer complaints. CC ID 13903 | Business Processes | Preventive | |
Assess consumer complaints and litigation. CC ID 16521 | Investigate | Preventive | |
Notify the complainant about their rights after receiving a complaint. CC ID 16794 | Communicate | Preventive | |
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816 | Establish/Maintain Documentation | Preventive | |
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815 | Establish/Maintain Documentation | Preventive | |
Post contact information in an easily seen location at facilities. CC ID 13812 | Communicate | Preventive | |
Provide users a list of the available dispute resolution bodies. CC ID 13814 | Communicate | Preventive | |
Post the dispute resolution body's contact information on the organization's website. CC ID 13811 | Communicate | Preventive | |
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795 | Communicate | Preventive | |
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain notice and take-down procedures. CC ID 09963 | Establish/Maintain Documentation | Preventive | |
Check communications for take-down requests. CC ID 09964 | Monitor and Evaluate Occurrences | Preventive | |
Include complete information in the take-down request. CC ID 09965 | Business Processes | Detective | |
Include the complainant's contact information in the take-down request. CC ID 09966 | Business Processes | Detective | |
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967 | Business Processes | Detective | |
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968 | Business Processes | Detective | |
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969 | Business Processes | Detective | |
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970 | Business Processes | Preventive | |
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971 | Business Processes | Detective | |
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972 | Business Processes | Detective | |
Notify the complainant regarding any missing information in the take-down request. CC ID 09973 | Behavior | Preventive | |
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974 | Business Processes | Detective | |
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975 | Establish/Maintain Documentation | Preventive | |
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976 | Establish/Maintain Documentation | Preventive | |
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977 | Establish/Maintain Documentation | Preventive | |
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978 | Business Processes | Preventive | |
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979 | Business Processes | Preventive | |
Process product return requests. CC ID 11598 | Acquisition/Sale of Assets or Services | Corrective | |
Refrain from returning products absent a return request authorization. CC ID 11599 | Acquisition/Sale of Assets or Services | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: carefully scrutinize the reporting lines of those who provide assurance internally, to safeguard their independence and authority (see NOTE 1); § 6.4.3.3 ¶ 1 d)] | Establish Roles | Preventive | |
Manage supply chain audits. CC ID 01203 | Audits and Risk Management | Preventive | |
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and Risk Management | Preventive | |
Rotate auditors, as necessary. CC ID 15589 [Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. § 6.4.3.3 ¶ 3] | Audits and Risk Management | Preventive | |
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. § 6.4.3.3 ¶ 1 g)] | Establish Roles | Preventive | |
Assign the Board of Directors to address audit findings. CC ID 12396 [Assurance processes that inform the governing body independently and accurately include: direct verifications by the governing body; § 6.4.3.3 ¶ 2 Bullet 1] | Human Resources Management | Corrective | |
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Establish Roles | Preventive | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Establish Roles | Preventive | |
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3 Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4] | Testing | Detective | |
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Establish Roles | Preventive | |
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Establish Roles | Preventive | |
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Establish Roles | Preventive | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Establish Roles | Preventive | |
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and Risk Management | Preventive | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Establish/Maintain Documentation | Preventive | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Establish/Maintain Documentation | Preventive | |
Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Establish/Maintain Documentation | Preventive | |
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Establish/Maintain Documentation | Preventive | |
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Establish/Maintain Documentation | Preventive | |
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Establish/Maintain Documentation | Preventive | |
Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Establish/Maintain Documentation | Preventive | |
Review the external audit scope, as necessary. CC ID 01202 | Audits and Risk Management | Preventive | |
Review the external audit assertion for accuracy. CC ID 06977 | Testing | Detective | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 | Testing | Detective | |
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and Risk Management | Detective | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Establish/Maintain Documentation | Preventive | |
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Establish/Maintain Documentation | Preventive | |
Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Establish/Maintain Documentation | Preventive | |
Review the external auditor's qualifications. CC ID 01197 | Audits and Risk Management | Preventive | |
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and Risk Management | Preventive | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Establish/Maintain Documentation | Preventive | |
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Establish/Maintain Documentation | Preventive | |
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Behavior | Preventive | |
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Behavior | Preventive | |
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Establish/Maintain Documentation | Preventive | |
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an audit program. CC ID 00684 [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; § 6.4.3.3 ¶ 1 f) Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain audit policies. CC ID 13166 | Establish/Maintain Documentation | Preventive | |
Assign the audit to impartial auditors. CC ID 07118 [The governing body should: assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; § 4.3.2 ¶ 2 d) To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: § 6.4.3.3 ¶ 1] | Establish Roles | Preventive | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and Risk Management | Preventive | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and Risk Management | Detective | |
Exercise due professional care during the planning and performance of the audit. CC ID 07119 | Behavior | Preventive | |
Include resource requirements in the audit program. CC ID 15237 | Establish/Maintain Documentation | Preventive | |
Include risks and opportunities in the audit program. CC ID 15236 [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; § 6.4.3.3 ¶ 1 f)] | Establish/Maintain Documentation | Preventive | |
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and Risk Management | Preventive | |
Establish and maintain audit terms. CC ID 13880 | Establish/Maintain Documentation | Preventive | |
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Process or Activity | Preventive | |
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Establish/Maintain Documentation | Preventive | |
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an in scope system description. CC ID 14873 | Establish/Maintain Documentation | Preventive | |
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and Risk Management | Preventive | |
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and Risk Management | Preventive | |
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and Risk Management | Preventive | |
Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and Risk Management | Preventive | |
Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and Risk Management | Preventive | |
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and Risk Management | Preventive | |
Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and Risk Management | Preventive | |
Include third party services in the audit assertion's in scope system description. CC ID 16503 | Establish/Maintain Documentation | Preventive | |
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Establish/Maintain Documentation | Preventive | |
Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Establish/Maintain Documentation | Preventive | |
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and Risk Management | Preventive | |
Include changes in the audit assertion's in scope system description. CC ID 14894 | Establish/Maintain Documentation | Preventive | |
Include external communications in the audit assertion's in scope system description. CC ID 14913 | Establish/Maintain Documentation | Preventive | |
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Establish/Maintain Documentation | Preventive | |
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Establish/Maintain Documentation | Preventive | |
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Establish/Maintain Documentation | Preventive | |
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Establish/Maintain Documentation | Preventive | |
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Establish/Maintain Documentation | Preventive | |
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Establish/Maintain Documentation | Preventive | |
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Establish/Maintain Documentation | Preventive | |
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Establish/Maintain Documentation | Preventive | |
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Establish/Maintain Documentation | Preventive | |
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Establish/Maintain Documentation | Preventive | |
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Establish/Maintain Documentation | Preventive | |
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Establish/Maintain Documentation | Preventive | |
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Establish/Maintain Documentation | Preventive | |
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Establish/Maintain Documentation | Preventive | |
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Establish/Maintain Documentation | Preventive | |
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Establish/Maintain Documentation | Preventive | |
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Establish/Maintain Documentation | Detective | |
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Establish/Maintain Documentation | Preventive | |
Include commitments to third parties in the audit assertion. CC ID 14899 | Establish/Maintain Documentation | Preventive | |
Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Establish/Maintain Documentation | Preventive | |
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and Risk Management | Detective | |
Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Establish/Maintain Documentation | Preventive | |
Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Establish/Maintain Documentation | Preventive | |
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and Risk Management | Preventive | |
Identify personnel who should attend the closing meeting. CC ID 15261 | Business Processes | Preventive | |
Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and Risk Management | Detective | |
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and Risk Management | Preventive | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Establish/Maintain Documentation | Preventive | |
Include third party assets in the audit scope. CC ID 16504 | Audits and Risk Management | Preventive | |
Include audit subject matter in the audit program. CC ID 07103 | Establish/Maintain Documentation | Preventive | |
Examine the availability of the audit criteria in the audit program. CC ID 16520 | Investigate | Preventive | |
Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Establish/Maintain Documentation | Preventive | |
Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Establish/Maintain Documentation | Preventive | |
Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Establish/Maintain Documentation | Preventive | |
Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Establish/Maintain Documentation | Preventive | |
Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and Risk Management | Preventive | |
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Establish/Maintain Documentation | Preventive | |
Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and Risk Management | Preventive | |
Include in scope information in the audit program. CC ID 16198 | Establish/Maintain Documentation | Preventive | |
Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Establish/Maintain Documentation | Preventive | |
Provide a representation letter in support of the audit assertion. CC ID 07158 | Establish/Maintain Documentation | Preventive | |
Include the date of the audit in the representation letter. CC ID 16517 | Audits and Risk Management | Preventive | |
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Establish/Maintain Documentation | Preventive | |
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Establish/Maintain Documentation | Preventive | |
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Establish/Maintain Documentation | Preventive | |
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Establish/Maintain Documentation | Preventive | |
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Establish/Maintain Documentation | Preventive | |
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Establish/Maintain Documentation | Preventive | |
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Establish/Maintain Documentation | Preventive | |
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Establish/Maintain Documentation | Preventive | |
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Establish/Maintain Documentation | Preventive | |
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Establish/Maintain Documentation | Preventive | |
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Establish/Maintain Documentation | Preventive | |
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Establish/Maintain Documentation | Preventive | |
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Establish/Maintain Documentation | Preventive | |
Establish and maintain audit assertions, as necessary. CC ID 14871 | Establish/Maintain Documentation | Detective | |
Include an in scope system description in the audit assertion. CC ID 14872 | Establish/Maintain Documentation | Preventive | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Establish/Maintain Documentation | Preventive | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Establish/Maintain Documentation | Preventive | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Establish/Maintain Documentation | Preventive | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Establish/Maintain Documentation | Preventive | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Establish/Maintain Documentation | Preventive | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Establish/Maintain Documentation | Preventive | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Establish/Maintain Documentation | Preventive | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Establish/Maintain Documentation | Preventive | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Establish/Maintain Documentation | Preventive | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Establish/Maintain Documentation | Preventive | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Establish/Maintain Documentation | Preventive | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Establish/Maintain Documentation | Preventive | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Establish/Maintain Documentation | Preventive | |
Include in scope change controls in the audit assertion. CC ID 06976 | Establish/Maintain Documentation | Preventive | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Establish/Maintain Documentation | Preventive | |
Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Communicate | Preventive | |
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Establish/Maintain Documentation | Preventive | |
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Establish/Maintain Documentation | Preventive | |
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: determine the level of assurance scrutiny it requires, depending on the assessed risk; § 6.4.3.3 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Include the expectations for the audit report in the audit terms. CC ID 07148 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Establish/Maintain Documentation | Preventive | |
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Establish/Maintain Documentation | Corrective | |
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Communicate | Preventive | |
Include materiality levels in the audit terms. CC ID 01238 | Establish/Maintain Documentation | Preventive | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Establish/Maintain Documentation | Preventive | |
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Establish/Maintain Documentation | Preventive | |
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Business Processes | Preventive | |
Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and Risk Management | Detective | |
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Business Processes | Preventive | |
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Behavior | Preventive | |
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and Risk Management | Preventive | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
Audit in scope audit items and compliance documents. CC ID 06730 | Audits and Risk Management | Preventive | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Actionable Reports or Measurements | Preventive | |
Document any after the fact changes to the engagement file. CC ID 07002 | Establish/Maintain Documentation | Preventive | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Establish/Maintain Documentation | Preventive | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Establish/Maintain Documentation | Preventive | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Records Management | Preventive | |
Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
Audit policies, standards, and procedures. CC ID 12927 | Audits and Risk Management | Preventive | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
Audit information systems, as necessary. CC ID 13010 [{be responsible}{be ethical}The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; § 6.8.3.4 ¶ 2 c)] | Investigate | Detective | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Testing | Detective | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Testing | Detective | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
Edit the audit assertion for accuracy. CC ID 07030 | Establish/Maintain Documentation | Preventive | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Establish/Maintain Documentation | Preventive | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Testing | Detective | |
Determine the effectiveness of in scope controls. CC ID 06984 | Testing | Detective | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and Risk Management | Detective | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and Risk Management | Detective | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Testing | Detective | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Establish/Maintain Documentation | Preventive | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Testing | Preventive | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and Risk Management | Preventive | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and Risk Management | Preventive | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and Risk Management | Preventive | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and Risk Management | Preventive | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and Risk Management | Preventive | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Testing | Preventive | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
Conduct interviews, as necessary. CC ID 07188 | Testing | Detective | |
Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Behavior | Detective | |
Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
Establish and maintain work papers, as necessary. CC ID 13891 | Establish/Maintain Documentation | Preventive | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Establish/Maintain Documentation | Preventive | |
Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and Risk Management | Preventive | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Establish/Maintain Documentation | Preventive | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Establish/Maintain Documentation | Preventive | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Establish/Maintain Documentation | Preventive | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Establish/Maintain Documentation | Preventive | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and Risk Management | Detective | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and Risk Management | Preventive | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Testing | Detective | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Establish/Maintain Documentation | Preventive | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Establish/Maintain Documentation | Preventive | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Testing | Detective | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Monitor and Evaluate Occurrences | Preventive | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Establish Roles | Preventive | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Business Processes | Preventive | |
Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Monitor and Evaluate Occurrences | Preventive | |
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Business Processes | Preventive | |
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Process or Activity | Preventive | |
Review the subject matter expert's findings. CC ID 16559 | Audits and Risk Management | Detective | |
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Establish/Maintain Documentation | Preventive | |
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 | Audits and Risk Management | Preventive | |
Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Investigate | Detective | |
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Business Processes | Preventive | |
Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and Risk Management | Corrective | |
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and Risk Management | Preventive | |
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Establish/Maintain Documentation | Preventive | |
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Establish/Maintain Documentation | Preventive | |
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Establish/Maintain Documentation | Preventive | |
Establish and maintain organizational audit reports. CC ID 06731 | Establish/Maintain Documentation | Preventive | |
Determine what disclosures are required in the audit report. CC ID 14888 | Establish/Maintain Documentation | Detective | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and Risk Management | Preventive | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and Risk Management | Preventive | |
Include audit subject matter in the audit report. CC ID 14882 | Establish/Maintain Documentation | Preventive | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Establish/Maintain Documentation | Preventive | |
Identify the audit team members in the audit report. CC ID 15259 | Human Resources Management | Detective | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Establish/Maintain Documentation | Preventive | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Establish/Maintain Documentation | Preventive | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Establish/Maintain Documentation | Preventive | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Establish/Maintain Documentation | Preventive | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Establish/Maintain Documentation | Preventive | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Establish/Maintain Documentation | Preventive | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Establish/Maintain Documentation | Preventive | |
Include references to historical financial information used in the audit report. CC ID 13961 | Establish/Maintain Documentation | Preventive | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Establish/Maintain Documentation | Preventive | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Establish/Maintain Documentation | Preventive | |
Include the word independent in the title of audit reports. CC ID 07003 | Actionable Reports or Measurements | Preventive | |
Include the date of the audit in the audit report. CC ID 07024 | Actionable Reports or Measurements | Preventive | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Establish/Maintain Documentation | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Actionable Reports or Measurements | Preventive | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Establish/Maintain Documentation | Preventive | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Establish/Maintain Documentation | Preventive | |
Include the audit criteria in the audit report. CC ID 13945 | Establish/Maintain Documentation | Preventive | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Establish/Maintain Documentation | Preventive | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Establish/Maintain Documentation | Preventive | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Actionable Reports or Measurements | Preventive | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Establish/Maintain Documentation | Preventive | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Establish/Maintain Documentation | Preventive | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Establish/Maintain Documentation | Preventive | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Establish/Maintain Documentation | Preventive | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Establish/Maintain Documentation | Preventive | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Establish/Maintain Documentation | Preventive | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Establish/Maintain Documentation | Preventive | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Establish/Maintain Documentation | Preventive | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Establish/Maintain Documentation | Preventive | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Establish/Maintain Documentation | Preventive | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Establish/Maintain Documentation | Preventive | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Establish/Maintain Documentation | Preventive | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Establish/Maintain Documentation | Preventive | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Establish/Maintain Documentation | Preventive | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Establish/Maintain Documentation | Preventive | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Establish/Maintain Documentation | Preventive | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Establish/Maintain Documentation | Preventive | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Establish/Maintain Documentation | Preventive | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and Risk Management | Preventive | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Establish/Maintain Documentation | Preventive | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Establish/Maintain Documentation | Preventive | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and Risk Management | Detective | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Establish/Maintain Documentation | Preventive | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Establish/Maintain Documentation | Preventive | |
Include recommended corrective actions in the audit report. CC ID 16197 | Establish/Maintain Documentation | Preventive | |
Include risks and opportunities in the audit report. CC ID 16196 | Establish/Maintain Documentation | Preventive | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Establish/Maintain Documentation | Preventive | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Establish/Maintain Documentation | Preventive | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Establish/Maintain Documentation | Preventive | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Establish/Maintain Documentation | Preventive | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and Risk Management | Preventive | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Establish/Maintain Documentation | Preventive | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Establish/Maintain Documentation | Preventive | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Actionable Reports or Measurements | Preventive | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Establish/Maintain Documentation | Preventive | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Establish/Maintain Documentation | Preventive | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Establish/Maintain Documentation | Preventive | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Establish/Maintain Documentation | Preventive | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Establish/Maintain Documentation | Preventive | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Establish/Maintain Documentation | Preventive | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and Risk Management | Preventive | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Establish/Maintain Documentation | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and Risk Management | Preventive | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and Risk Management | Detective | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Establish/Maintain Documentation | Detective | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and Risk Management | Detective | |
Review past audit reports. CC ID 01155 | Establish/Maintain Documentation | Detective | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Establish/Maintain Documentation | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Establish/Maintain Documentation | Detective | |
Resolve disputes before creating the audit summary. CC ID 08964 | Behavior | Preventive | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Establish/Maintain Documentation | Preventive | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Establish/Maintain Documentation | Preventive | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Establish/Maintain Documentation | Preventive | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Establish/Maintain Documentation | Corrective | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Investigate | Detective | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Process or Activity | Detective | |
Include an audit opinion in the audit report. CC ID 07017 | Establish/Maintain Documentation | Preventive | |
Include qualified opinions in the audit report. CC ID 13928 | Establish/Maintain Documentation | Preventive | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Establish/Maintain Documentation | Preventive | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Establish/Maintain Documentation | Corrective | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Establish/Maintain Documentation | Preventive | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Business Processes | Corrective | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Establish/Maintain Documentation | Preventive | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Establish/Maintain Documentation | Preventive | |
Include items that pertain to third parties in the audit report. CC ID 07008 | Establish/Maintain Documentation | Preventive | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Establish/Maintain Documentation | Preventive | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Establish/Maintain Documentation | Preventive | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Establish/Maintain Documentation | Preventive | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Establish/Maintain Documentation | Preventive | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Establish/Maintain Documentation | Preventive | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Establish/Maintain Documentation | Preventive | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Establish/Maintain Documentation | Preventive | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Establish/Maintain Documentation | Corrective | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Actionable Reports or Measurements | Preventive | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Log Management | Detective | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Behavior | Preventive | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Establish/Maintain Documentation | Preventive | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Establish/Maintain Documentation | Preventive | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Establish/Maintain Documentation | Detective | |
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Business Processes | Preventive | |
Submit an audit report that is complete. CC ID 01145 | Testing | Detective | |
Accept the audit report. CC ID 07025 | Establish/Maintain Documentation | Preventive | |
Implement a corrective action plan in response to the audit report. CC ID 06777 | Establish/Maintain Documentation | Corrective | |
Assign responsibility for remediation actions. CC ID 13622 | Human Resources Management | Preventive | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Actionable Reports or Measurements | Corrective | |
Review management's response to issues raised in past audit reports. CC ID 01149 | Audits and Risk Management | Detective | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Establish/Maintain Documentation | Preventive | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; § 6.4.3.3 ¶ 1 b) To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance providers have the necessary competency and capacity and that their efforts are appropriately focused; § 6.4.3.3 ¶ 1 c) To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: carefully scrutinize the ability of any external assurance providers, to provide independent assurance (see NOTE 1); § 6.4.3.3 ¶ 1 e) Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. § 6.4.3.3 ¶ 3] | Testing | Detective | |
Evaluate the competency of auditors. CC ID 15253 | Human Resources Management | Detective | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and Risk Management | Detective | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain the audit plan. CC ID 01156 | Testing | Detective | |
Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
Include the allocation of resources in the audit plan. CC ID 15251 [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; § 6.4.3.3 ¶ 1 b)] | Establish/Maintain Documentation | Preventive | |
Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b) The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all organizational activities. § 6.9.3.2 ¶ 1 The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the intended risk management performance is achieved. § 6.9.3.4 ¶ 1 i) {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Establish/Maintain Documentation | Preventive | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Business Processes | Detective | |
Integrate the risk management program with the organization's business activities. CC ID 13661 [The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all organizational activities. § 6.9.3.2 ¶ 1 In overseeing risk management, the governing body should specifically assure itself that risk management is integrated into all organizational activities by seeking evidence that, for example: § 6.9.3.4 ¶ 2] | Business Processes | Preventive | |
Integrate the risk management program into daily business decision-making. CC ID 13659 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; § 6.9.3.4 ¶ 1 g) The governing body should ensure that the organizational risk framework, in respect to the management of risk: guides decision-making behaviours and the impact of leadership actions, inactions or omissions on those behaviours; § 6.9.3.2 ¶ 2 b)] | Business Processes | Preventive | |
Include managing mobile risks in the risk management program. CC ID 13535 | Establish/Maintain Documentation | Preventive | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and Risk Management | Preventive | |
Include regular updating in the risk management system. CC ID 14990 | Business Processes | Preventive | |
Establish, implement, and maintain risk management strategies. CC ID 13209 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: strategies to manage risk are deployed within agreed risk limits and associated risk tolerance; § 6.9.3.4 ¶ 1 b)] | Establish/Maintain Documentation | Preventive | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Establish/Maintain Documentation | Preventive | |
Include data quality in the risk management strategies. CC ID 15308 | Data and Information Management | Preventive | |
Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Establish/Maintain Documentation | Preventive | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Establish/Maintain Documentation | Preventive | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and Risk Management | Detective | |
Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and Risk Management | Detective | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and Risk Management | Detective | |
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [The governing body should ensure that the organizational risk framework, in respect to the management of risk: defines the responsibilities of the governing body and associated delegation across the organization; § 6.9.3.2 ¶ 2 e)] | Establish Roles | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 [The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: § 6.9.3.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Address past incidents in the risk assessment program. CC ID 12743 | Audits and Risk Management | Preventive | |
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 | Establish/Maintain Documentation | Preventive | |
Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Establish/Maintain Documentation | Preventive | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. § 6.9.1 ¶ 1 The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. Table 1 Column 4 Row 10 The governing body should oversee the organization's management of risk (see 6.4), ensuring that: a holistic view is taken by the organization, including consideration of all relevant types of risk; § 6.9.3.4 ¶ 1 a) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's risk landscape; § 6.3.3.1.1 ¶ 2 c)] | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Business Processes | Preventive | |
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Business Processes | Preventive | |
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Business Processes | Preventive | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Establish/Maintain Documentation | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Establish/Maintain Documentation | Preventive | |
Use the risk taxonomy when managing risk. CC ID 12280 | Behavior | Preventive | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
Establish, implement, and maintain risk assessment procedures. CC ID 06446 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the process for assessing risk is consistent throughout the organization, enabling effective comparison and prioritization of risk; § 6.9.3.4 ¶ 1 e) The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Establish/Maintain Documentation | Preventive | |
Document cybersecurity risks. CC ID 12281 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 | Establish/Maintain Documentation | Preventive | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 [The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: § 6.9.3.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and Risk Management | Preventive | |
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Establish/Maintain Documentation | Preventive | |
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Establish/Maintain Documentation | Preventive | |
Document organizational risk criteria. CC ID 12277 [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the risk appetite, which involves setting risk criteria and associated limits; § 6.9.3.2 ¶ 2 g)] | Establish/Maintain Documentation | Preventive | |
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Technical Security | Preventive | |
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Investigate | Detective | |
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and Risk Management | Preventive | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and Risk Management | Preventive | |
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Establish/Maintain Documentation | Preventive | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and Risk Management | Preventive | |
Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and Risk Management | Preventive | |
Include language that is easy to understand in the risk assessment report. CC ID 06461 | Establish/Maintain Documentation | Preventive | |
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Establish/Maintain Documentation | Preventive | |
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Establish/Maintain Documentation | Preventive | |
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Establish/Maintain Documentation | Preventive | |
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Establish/Maintain Documentation | Preventive | |
Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and Risk Management | Preventive | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Communicate | Preventive | |
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Establish/Maintain Documentation | Preventive | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d) {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Testing | Preventive | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
Include physical assets in the scope of the risk assessment. CC ID 13075 | Establish/Maintain Documentation | Preventive | |
Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Establish/Maintain Documentation | Preventive | |
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and Risk Management | Preventive | |
Update the risk assessment upon discovery of a new threat. CC ID 00708 | Establish/Maintain Documentation | Detective | |
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and Risk Management | Preventive | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 | Establish/Maintain Documentation | Detective | |
Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and Risk Management | Preventive | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 [Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, risk management and compliance management as independent control functions; § 6.4.3.3 ¶ 2 Bullet 2] | Communicate | Preventive | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Business Processes | Preventive | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g) To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: effective risk reporting and communication of risk are practised and promoted throughout the organization; § 6.9.3.4 ¶ 1 h) Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3 {environmental system}{social system}The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the risks posed to the organization, and the organization's value generation model, by the natural environmental, social and economic systems within which it operates and by the governing body's decisions; § 6.11.3.4 ¶ 2 b) {environmental system}{social system}The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the risks posed to the natural environmental, social and economic systems by the organization, by the organization's value generation model and by the governing body's decisions. § 6.11.3.4 ¶ 2 c)] | Behavior | Preventive | |
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Investigate | Detective | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and Risk Management | Preventive | |
Conduct a Business Impact Analysis, as necessary. CC ID 01147 | Audits and Risk Management | Detective | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Establish/Maintain Documentation | Preventive | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Establish/Maintain Documentation | Preventive | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Establish/Maintain Documentation | Preventive | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Establish/Maintain Documentation | Preventive | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Establish/Maintain Documentation | Preventive | |
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 [{social context}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the impact the organization has had, and anticipates having, on the resources it uses and the natural environment, social and economic context within which it operates; § 6.5.3.2 ¶ 1 c) 3) The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: reporting on the extent of the organization's impact on these resources and the impact of these resources on one another. § 6.2.3.1 ¶ 4 c) The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Communicate | Preventive | |
Establish, implement, and maintain a risk register. CC ID 14828 | Establish/Maintain Documentation | Preventive | |
Document organizational risk tolerance in a risk register. CC ID 09961 | Establish/Maintain Documentation | Preventive | |
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Business Processes | Preventive | |
Review the Business Impact Analysis, as necessary. CC ID 12774 | Business Processes | Preventive | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 | Audits and Risk Management | Preventive | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and Risk Management | Preventive | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and Risk Management | Preventive | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [{be dependent}{environmental system}{social system}The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: directly dependent; § 6.11.3.4 ¶ 1 Bullet 1 {be independent}{environmental system}{social system}The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: not directly dependent but whose ability to be sustained will be affected by the governing body's decisions. § 6.11.3.4 ¶ 1 Bullet 2] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b) {be responsible}{be accurate}The governing body should ensure that the organizational risk framework, in respect to the management of risk: mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). § 6.9.3.2 ¶ 2 h) {positive impact}The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the organization's positive and negative impacts on these systems. § 6.11.3.3 ¶ 1 c) {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d) {social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's impact on stakeholders; § 6.3.3.1.1 ¶ 2 h) Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and Risk Management | Detective | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Actionable Reports or Measurements | Detective | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and Risk Management | Detective | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{positive impact}Responsible stewardship — The organization: effectively balances positive and negative impacts; § 5 ¶ 2 b) 2) The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the risk appetite, which involves setting risk criteria and associated limits; § 6.9.3.2 ¶ 2 g) The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: balances the achievement of the value generation objectives against potential impacts; § 6.2.3.3 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Investigate | Preventive | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the choice of risk treatments is consistent with governance policies; § 6.9.3.4 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Behavior | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Establish/Maintain Documentation | Detective | |
Document the results of the gap analysis. CC ID 16271 | Establish/Maintain Documentation | Preventive | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and Risk Management | Preventive | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Process or Activity | Detective | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Process or Activity | Detective | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and Risk Management | Preventive | |
Determine the effectiveness of risk control measures. CC ID 06601 | Testing | Detective | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d) The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Establish/Maintain Documentation | Preventive | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and Risk Management | Preventive | |
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and Risk Management | Preventive | |
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and Risk Management | Preventive | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Establish/Maintain Documentation | Preventive | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Establish/Maintain Documentation | Corrective | |
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the risk treatment plan. CC ID 11981 | Establish/Maintain Documentation | Preventive | |
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Establish/Maintain Documentation | Preventive | |
Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Establish/Maintain Documentation | Preventive | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Establish/Maintain Documentation | Preventive | |
Include risk assessment results in the risk treatment plan. CC ID 11978 | Establish/Maintain Documentation | Preventive | |
Include a description of usage in the risk treatment plan. CC ID 11977 | Establish/Maintain Documentation | Preventive | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Communicate | Preventive | |
Approve the risk treatment plan. CC ID 13495 | Audits and Risk Management | Preventive | |
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Establish/Maintain Documentation | Preventive | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b) The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1 The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a) The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)] | Establish/Maintain Documentation | Corrective | |
Review and approve the risk assessment findings. CC ID 06485 [The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
Include risk responses in the risk management program. CC ID 13195 | Establish/Maintain Documentation | Preventive | |
Document residual risk in a residual risk report. CC ID 13664 | Establish/Maintain Documentation | Corrective | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Business Processes | Preventive | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Establish/Maintain Documentation | Preventive | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Establish/Maintain Documentation | Preventive | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Business Processes | Preventive | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and Risk Management | Detective | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and Risk Management | Detective | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and Risk Management | Preventive | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Establish/Maintain Documentation | Preventive | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Communicate | Preventive | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Communicate | Preventive | |
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Establish/Maintain Documentation | Preventive | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Establish/Maintain Documentation | Preventive | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Communicate | Preventive | |
Evaluate the cyber insurance market. CC ID 12695 | Business Processes | Preventive | |
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Business Processes | Preventive | |
Acquire cyber insurance, as necessary. CC ID 12693 | Business Processes | Preventive | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Establish/Maintain Documentation | Preventive | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Establish/Maintain Documentation | Preventive | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Communicate | Preventive | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Establish/Maintain Documentation | Preventive | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Establish/Maintain Documentation | Preventive | |
Include dates in the supply chain risk management plan. CC ID 15617 | Establish/Maintain Documentation | Preventive | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Establish/Maintain Documentation | Preventive | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Communicate | Preventive | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Human Resources Management | Preventive | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Process or Activity | Detective | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [{be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2] | Establish Roles | Preventive | |
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Establish Roles | Preventive | |
Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources Management | Preventive | |
Define the scope for the security operations center. CC ID 15713 | Establish/Maintain Documentation | Preventive | |
Designate an alternate for each organizational leader. CC ID 12053 | Human Resources Management | Preventive | |
Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Behavior | Preventive | |
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources Management | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [The governing body can delegate but still remains accountable for what it has delegated and always remains responsible for the organization as a whole. § 4.2.2 ¶ 1 The governing body should establish governance policies and ensure that these: clarify the manner in which the governing body itself is to operate and govern the organization; § 6.3.3.1.2 ¶ 1 f) {individual}{hold accountable} The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. § 6.5.3.1 ¶ 1 Governance is exercised throughout the organization by governing groups, including: the governing body; § 4.2.1 ¶ 1 Bullet 2 At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in this document. § 4.3.1 ¶ 3 {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. Table 1 Column 4 Row 6 The governing body should engage with strategic planning by: establishing clarity about its role in the strategic planning process; § 6.3.3.2.1 ¶ 1 a) The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. § 6.1.3.4 ¶ 1 {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. § 6.5.1 ¶ 1 Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)] | Establish Roles | Preventive | |
Establish and maintain board committees, as necessary. CC ID 14789 [The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)] | Human Resources Management | Preventive | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Establish/Maintain Documentation | Preventive | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources Management | Preventive | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: capacity; § 4.3.1 ¶ 1 Bullet 4 The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: probity; § 4.3.1 ¶ 1 Bullet 5 The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: commitment. § 4.3.1 ¶ 1 Bullet 6 The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: § 4.3.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: diversity and inclusion; § 4.3.1 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources Management | Preventive | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: independence of thought and action; § 4.3.1 ¶ 1 Bullet 3] | Human Resources Management | Preventive | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1 The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1 To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: oversee the organization's risk management activities. § 6.9.3.1 ¶ 2 c) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: § 6.9.3.4 ¶ 1] | Human Resources Management | Preventive | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources Management | Corrective | |
Define and assign board committees, as necessary. CC ID 14787 | Human Resources Management | Preventive | |
Define and assign risk committees, as necessary. CC ID 14795 | Human Resources Management | Preventive | |
Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Establish/Maintain Documentation | Preventive | |
Define and assign audit committees, as necessary. CC ID 14788 | Human Resources Management | Preventive | |
Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources Management | Preventive | |
Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources Management | Preventive | |
Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Establish Roles | Preventive | |
Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources Management | Preventive | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Establish Roles | Preventive | |
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources Management | Preventive | |
Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Establish Roles | Preventive | |
Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Establish Roles | Preventive | |
Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources Management | Preventive | |
Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources Management | Preventive | |
Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Establish Roles | Preventive | |
Define and assign the security staff roles and responsibilities. CC ID 11750 | Establish/Maintain Documentation | Preventive | |
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources Management | Preventive | |
Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Establish Roles | Preventive | |
Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Establish Roles | Preventive | |
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Establish Roles | Preventive | |
Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Establish Roles | Preventive | |
Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 | Establish/Maintain Documentation | Preventive | |
Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Establish Roles | Preventive | |
Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources Management | Preventive | |
Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources Management | Preventive | |
Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources Management | Preventive | |
Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources Management | Preventive | |
Assign a contact person to all business units. CC ID 07144 | Establish Roles | Preventive | |
Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Business Processes | Preventive | |
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources Management | Preventive | |
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources Management | Preventive | |
Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources Management | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 ["Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters. The governing body should ensure the clarity of roles and responsibilities of all involved and hold accountable those to whom they delegate. § 4.2.3 ¶ 1] | Human Resources Management | Preventive | |
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources Management | Preventive | |
Assign roles and responsibilities for physical security, as necessary. CC ID 13113 | Establish Roles | Preventive | |
Document the use of external experts. CC ID 16263 | Human Resources Management | Preventive | |
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; § 6.9.3.2 ¶ 2 a)] | Human Resources Management | Preventive | |
Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources Management | Preventive | |
Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources Management | Preventive | |
Identify and define all critical roles. CC ID 00777 | Establish Roles | Preventive | |
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Establish Roles | Preventive | |
Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources Management | Preventive | |
Assign the role of security management to applicable controls. CC ID 06444 | Establish Roles | Preventive | |
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources Management | Preventive | |
Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources Management | Preventive | |
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources Management | Preventive | |
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Communicate | Preventive | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 | Establish Roles | Preventive | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources Management | Preventive | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources Management | Preventive | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources Management | Preventive | |
Assign the role of data controller to applicable controls. CC ID 00354 | Establish Roles | Preventive | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources Management | Preventive | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Establish Roles | Preventive | |
Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Establish Roles | Preventive | |
Assign the role of logical access control to applicable controls. CC ID 00772 | Establish Roles | Preventive | |
Assign the role of asset physical security to applicable controls. CC ID 00770 | Establish Roles | Preventive | |
Assign the role of data custodian to applicable controls. CC ID 04789 | Establish Roles | Preventive | |
Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Establish Roles | Preventive | |
Assign interested personnel to the Quality Management committee. CC ID 07193 | Establish Roles | Preventive | |
Assign the roles and responsibilities for the asset management system. CC ID 14368 | Establish/Maintain Documentation | Preventive | |
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Establish Roles | Preventive | |
Assign the role of fire protection management to applicable controls. CC ID 04891 | Establish Roles | Preventive | |
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Establish Roles | Preventive | |
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Establish Roles | Preventive | |
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Establish Roles | Preventive | |
Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources Management | Preventive | |
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 | Human Resources Management | Preventive | |
Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources Management | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 [The governing body should steer the organizational strategy by means of: succession planning for the critical roles in the organization, including emergency succession arrangements; § 6.3.3.2.2 ¶ 2 f)] | Human Resources Management | Preventive | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: competence (relevant knowledge and understanding, skills and experience); § 4.3.1 ¶ 1 Bullet 1 The governing body should: ensure it has the right combination of knowledge, skills and experience to understand the operations of the organization and the markets in which it operates; § 4.3.2 ¶ 2 a) The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: § 4.3.1 ¶ 1 {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2] | Testing | Detective | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources Management | Detective | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Establish Roles | Preventive | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources Management | Detective | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources Management | Preventive | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources Management | Preventive | |
Document the personnel risk assessment results. CC ID 11764 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Establish/Maintain Documentation | Preventive | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources Management | Detective | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources Management | Preventive | |
Establish and maintain security clearances. CC ID 01634 | Human Resources Management | Preventive | |
Document the security clearance procedure results. CC ID 01635 | Establish/Maintain Documentation | Detective | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: authority matches the level of responsibility, which includes the autonomy to make and fulfil plans to achieve the agreed outcomes within the established parameters; § 4.2.2 ¶ 2 c) Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: the authority matches the level of responsibility associated with the decisions being made; § 6.8.3.2.2 ¶ 1 a) Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. § 4.2.2 ¶ 5 Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: § 6.8.3.2.2 ¶ 1 {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Establish Roles | Preventive | |
Document and communicate role descriptions to all applicable personnel. CC ID 00776 | Establish Roles | Detective | |
Assign and staff all roles appropriately. CC ID 00784 | Testing | Detective | |
Delegate authority for specific processes, as necessary. CC ID 06780 [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: § 4.2.2 ¶ 2 {be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2 The governing body should engage with strategic planning by: delegating as necessary; § 6.3.3.2.1 ¶ 1 b) The governing body should ensure that effective delegation is practised (see 4.2.2), as this is necessary for accountability. § 6.5.3.1 ¶ 2] | Behavior | Preventive | |
Implement a staff rotation plan. CC ID 12772 | Human Resources Management | Preventive | |
Rotate duties amongst the critical roles and positions. CC ID 06554 | Establish Roles | Preventive | |
Place Information Technology operations in a position to support the business model. CC ID 00766 | Business Processes | Preventive | |
Review organizational personnel successes. CC ID 00767 | Business Processes | Preventive | |
Implement personnel supervisory practices. CC ID 00773 | Behavior | Preventive | |
Implement segregation of duties in roles and responsibilities. CC ID 00774 | Testing | Detective | |
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 [{be different} The degree of separation of duties between the governing body and managers varies according to organizational needs and circumstances. In certain circumstances, such as an executive member of the governing body, an individual can be required to fulfil both governance and management responsibilities. In such cases, it is important for that person to be able to distinguish when they are fulfilling the different responsibilities and act and behave accordingly. § 4.2.3 ¶ 2] | Technical Security | Preventive | |
Evaluate the staffing requirements regularly. CC ID 00775 | Business Processes | Detective | |
Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: collaborative relationships with relevant stakeholders are maintained; § 6.6.3 ¶ 3 c) Ethical and effective leadership should be demonstrated in three areas: the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. § 6.7.3.1 ¶ 4 c) Within the organization's external context: The governing body should ensure that the organization treats stakeholders in a manner consistent with its organizational values. § 6.7.3.3 ¶ 1 c) In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the quality and nature of stakeholder relationships and effectiveness of stakeholder engagement; § 6.3.3.1.1 ¶ 2 g) When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. § 6.6.3 ¶ 2] | Behavior | Preventive | |
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 [{be fair}{be responsible}{be transparent}The governing body should steer the organizational strategy by means of: the organization's approach to compensation, ensuring that compensation is, and remains, fair, responsible and transparent; § 6.3.3.2.2 ¶ 2 h)] | Human Resources Management | Preventive | |
Establish and maintain an annual report on compensation. CC ID 14801 | Establish/Maintain Documentation | Preventive | |
Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Communicate | Preventive | |
Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Establish/Maintain Documentation | Preventive | |
Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 [The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)] | Establish/Maintain Documentation | Preventive | |
Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 [The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)] | Human Resources Management | Preventive | |
Establish, implement, and maintain an occupational health and safety management system. CC ID 16201 | Business Processes | Preventive | |
Establish, implement, and maintain an occupational health and safety policy. CC ID 00716 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)] | Establish/Maintain Documentation | Preventive | |
Involve interested personnel and affected parties in occupational health and safety management system processes. CC ID 16274 | Business Processes | Preventive | |
Disseminate and communicate the occupational health and safety policy to interested personnel and affected parties. CC ID 16270 | Communicate | Preventive | |
Include a commitment to continuous improvement in the occupational health and safety policy. CC ID 16267 | Establish/Maintain Documentation | Preventive | |
Include risks and opportunities in the occupational health and safety policy. CC ID 16287 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the occupational health and safety policy. CC ID 16264 | Behavior | Preventive | |
Include occupational health and safety objectives in the occupational health and safety policy. CC ID 16262 | Establish/Maintain Documentation | Preventive | |
Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073 | Establish/Maintain Documentation | Preventive | |
Maintain a 1 to 2 day supply of water and nonperishable food at the facility in case public utilities are interrupted. CC ID 06074 | Physical and Environmental Protection | Preventive | |
Install duress alarms in susceptible public areas. CC ID 06075 | Physical and Environmental Protection | Preventive | |
Require regular vacations for personnel using restricted information or sensitive information. CC ID 06550 | Human Resources Management | Preventive | |
Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802 | Establish/Maintain Documentation | Preventive | |
Provide protective face masks for critical personnel, as necessary. CC ID 06803 | Human Resources Management | Preventive | |
Establish, implement, and maintain food preparation procedures. CC ID 06804 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain food handling procedures. CC ID 11765 | Establish/Maintain Documentation | Preventive | |
Vaccinate critical employees, as necessary. CC ID 06805 | Human Resources Management | Preventive | |
Protect personnel from work-related intimidation. CC ID 07046 | Behavior | Preventive | |
Establish, implement, and maintain a travel program for all personnel. CC ID 10597 | Human Resources Management | Preventive | |
Establish, implement, and maintain a process to identify any potential health hazards, environmental hazards, or safety hazards, that could affect personnel while traveling internationally. CC ID 06076 | Human Resources Management | Preventive | |
Refrain from using gifted mobile devices. CC ID 16460 | Acquisition/Sale of Assets or Services | Preventive | |
Refrain from loaning mobile devices to unauthorized personnel. CC ID 15218 | Business Processes | Preventive | |
Issue devices with secure configurations to individuals traveling to locations deemed to be of risk. CC ID 10598 | Configuration | Preventive | |
Scan devices for malicious code when an individual returns from locations deemed to be of risk. CC ID 10599 | Process or Activity | Detective | |
Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: consider its level of independence and the effect this level has on its decision-making, including financial interests, position, associations, relationships, bias and alliances; § 6.8.3.2.1 ¶ 1 c) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: carefully address conflicts of interest when making decisions; § 6.8.3.2.1 ¶ 1 d) Disclose actual, potential or perceived conflicts of interest at the earliest opportunity and manage such conflicts appropriately. Table 2 Column 2 Row 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Establish/Maintain Documentation | Preventive | |
Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 | Communicate | Preventive | |
Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Code of Conduct. CC ID 04897 [Ethical leadership results in an organizational context and culture that: contributes to the prevention of misconduct; § 6.7.3.3 ¶ 3 Bullet 3 Act in good faith and in the best interest of the organization. Table 2 Column 2 Row 2 Bullet 1 {be ethical} Act ethically and in a compliant manner. Table 2 Column 2 Row 2 Bullet 3 Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: § 5 ¶ 2 c) Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4 The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a code of conduct for financial recommendations. CC ID 16649 | Establish/Maintain Documentation | Preventive | |
Include anti-coercion requirements and anti-tying requirements in the Code of Conduct. CC ID 16720 | Establish/Maintain Documentation | Preventive | |
Include limitations on referrals for products and services in the Code of Conduct. CC ID 16719 | Behavior | Preventive | |
Include classifications of ethics violations in the Code of Conduct. CC ID 14769 | Establish/Maintain Documentation | Preventive | |
Include definitions of ethics violations in the Code of Conduct. CC ID 14768 | Establish/Maintain Documentation | Preventive | |
Include exercising due professional care in the Code of Conduct. CC ID 14210 [Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. Table 2 Column 2 Row 3 Bullet 2 {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include health and safety provisions in the Code of Conduct. CC ID 16206 | Establish/Maintain Documentation | Preventive | |
Include organizational values in the Code of Conduct. CC ID 12919 [Within the organization: The governing body should ensure that the organization conducts itself in a manner consistent with its organizational values. § 6.7.3.3 ¶ 1 b) Laws and rules provide the minimum set of organizational values against which behaviour is assessed. Other organizational values (see 6.1) are provided in collectively agreed documents such as a code of conduct, code of ethics or standards of behaviour. The following are examples of the leadership values to which governing bodies, and the individuals comprising them, are held: § 6.7.3.3 ¶ 2 Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. § 6.1.3.4 ¶ 3] | Process or Activity | Preventive | |
Include key policies in the Code of Conduct. CC ID 12890 | Establish/Maintain Documentation | Preventive | |
Include responsibilities to the public trust in the Code of Conduct. CC ID 14209 | Establish/Maintain Documentation | Preventive | |
Include the vision statement in the Code of Conduct. CC ID 12889 | Establish/Maintain Documentation | Preventive | |
Include the organization's mission in the Code of Conduct. CC ID 12875 | Establish/Maintain Documentation | Preventive | |
Include classifications of desired conduct in the Code of Conduct. CC ID 12851 | Establish/Maintain Documentation | Preventive | |
Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 | Human Resources Management | Preventive | |
Include environmental responsibility criteria in the Code of Conduct. CC ID 16209 | Establish/Maintain Documentation | Preventive | |
Include social responsibility criteria in the Code of Conduct. CC ID 16210 | Establish/Maintain Documentation | Preventive | |
Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment. CC ID 04580 | Establish/Maintain Documentation | Preventive | |
Include labor rights criteria in the Code of Conduct. CC ID 16208 | Establish/Maintain Documentation | Preventive | |
Include the employee's legal responsibilities and rights in the Terms and Conditions of employment. CC ID 15701 | Establish/Maintain Documentation | Preventive | |
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [{be ethical}{be effective} Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. § 6.7.3.4 ¶ 3 {be ethical}{be effective} Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. § 6.7.3.4 ¶ 3] | Behavior | Corrective | |
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Communicate | Preventive | |
Include the legal intellectual property responsibilities in the Code of Conduct. CC ID 04898 | Establish/Maintain Documentation | Detective | |
Include definitions of desirable conduct in the Code of Conduct. CC ID 12846 | Establish/Maintain Documentation | Preventive | |
Include notification procedures for allegations of undesirable conduct in the Code of Conduct. CC ID 12855 | Establish/Maintain Documentation | Preventive | |
Include procedures to identify positive outcomes in the Code of Conduct. CC ID 12854 | Establish/Maintain Documentation | Preventive | |
Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 | Behavior | Preventive | |
Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. CC ID 06664 | Establish/Maintain Documentation | Preventive | |
Require all personnel to re-sign the Code of Conduct, as necessary. CC ID 06666 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain performance reviews. CC ID 14777 [The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b) The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)] | Business Processes | Detective | |
Include the information security responsibilities of employees in their performance objectives. CC ID 15700 | Human Resources Management | Preventive | |
Include information security responsibilities in performance reviews. CC ID 15697 | Establish/Maintain Documentation | Preventive | |
Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783 | Human Resources Management | Detective | |
Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799 | Human Resources Management | Preventive | |
Conduct staff performance reviews, as necessary. CC ID 07205 [{individual}The governing body should steer the organizational strategy by means of: monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; § 6.3.3.2.2 ¶ 2 g)] | Business Processes | Detective | |
Analyze the documentation produced by staff during the performance review. CC ID 07207 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain an ethics program. CC ID 11496 [When defining the organizational values, the governing body should ensure that: it is clear what ethical behaviour is expected as a result of the organizational values; § 6.1.3.3 ¶ 1 b) Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b) The governing body should ensure ethical leadership across all areas. § 6.7.3.3 ¶ 1] | Human Resources Management | Preventive | |
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 [Disclose actual, potential or perceived conflicts of interest at the earliest opportunity and manage such conflicts appropriately. Table 2 Column 2 Row 2 Bullet 2] | Communicate | Preventive | |
Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: competence and probity in the manner in which it makes decisions. § 5 ¶ 2 c) 5)] | Behavior | Preventive | |
Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Investigate | Preventive | |
Establish, implement, and maintain an ethical culture. CC ID 12781 [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: an ethical culture; § 5 ¶ 2 c) 1) Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: fairness in the treatment of, and engagement with, stakeholders; § 5 ¶ 2 c) 3)] | Behavior | Preventive | |
Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Monitor and Evaluate Occurrences | Preventive | |
Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: integrity and transparency in fulfilling its obligations, and commitments; § 5 ¶ 2 c) 4) When defining the organizational values, the governing body should ensure that: the expected ethical behaviour can be assessed; § 6.1.3.3 ¶ 1 c)] | Monitor and Evaluate Occurrences | Preventive | |
Refrain from practicing false advertising. CC ID 14253 | Business Processes | Preventive | |
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 [To ensure that the organization is acting in a socially responsible way, the governing body should: steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); § 6.10.3 ¶ 1 f) Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5] | Business Processes | Preventive | |
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Communicate | Preventive | |
Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Establish/Maintain Documentation | Preventive | |
Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Behavior | Preventive | |
Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Behavior | Preventive | |
Respond to ethics complaints of ethics violations. CC ID 11497 | Business Processes | Corrective | |
Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Behavior | Preventive | |
Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 | Human Resources Management | Preventive | |
Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources Management | Preventive | |
Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources Management | Preventive | |
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Establish Roles | Preventive | |
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Behavior | Preventive | |
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Behavior | Preventive | |
Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Behavior | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a reporting methodology program. CC ID 02072 [The governing body should: set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; § 4.3.2 ¶ 2 c) The governing body should: determine the most appropriate reporting methodologies for the organization, given the expectations of its relevant stakeholders; § 6.5.3.2 ¶ 2 Bullet 1 The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: reporting is coherent so that stakeholders can effectively assess the organization's governance arrangements (see 6.5.3). § 6.6.3 ¶ 3 f) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: report on historic actions and outcomes, as well as future intentions. § 6.5.3.2 ¶ 1 h) {be complete}{be understandable}{be responsive}{be accurate}{be timely}The governing body should: ensure that reported information and disclosed information are material, complete, understandable, responsive, accurate, balanced and timely; § 6.5.3.2 ¶ 2 Bullet 2] | Business Processes | Preventive | |
Establish, implement, and maintain communication protocols. CC ID 12245 [The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: an open and transparent communication culture within the organization is created and maintained to help bridge the gap between diverse stakeholder groups and varying perspectives based on, for example, gender, age, belief systems or cognitive abilities; § 6.6.3 ¶ 3 e) The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5] | Establish/Maintain Documentation | Preventive | |
Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [{be within}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: are transparent but also within the limits of confidentiality; § 6.5.3.2 ¶ 1 f) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Establish/Maintain Documentation | Preventive | |
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Process or Activity | Detective | |
Include external requirements in the organization's communication protocol. CC ID 12418 | Establish/Maintain Documentation | Preventive | |
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Communicate | Preventive | |
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [When defining the organizational values, the governing body should ensure that: all relevant stakeholders are engaged; § 6.1.3.3 ¶ 1 a) For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Improvements should be applied as the result of feedback from reporting, disclosure and dialogue activities. § 6.5.3.2 ¶ 3 The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. § 6.6.1 ¶ 1 The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 {stakeholder engagement process}To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); § 6.10.3 ¶ 1 a) To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when establishing and reviewing governance policies; § 6.10.3 ¶ 1 e) The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. Table 1 Column 4 Row 7 {be responsible}{be accurate}The governing body should ensure that the organizational risk framework, in respect to the management of risk: mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). § 6.9.3.2 ¶ 2 h) The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: relevant stakeholders are engaged in achieving the organizational purpose via its organizational strategy; § 6.6.3 ¶ 3 a) To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; § 6.10.3 ¶ 1 d) {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Process or Activity | Preventive | |
Identify barriers to stakeholder engagement. CC ID 15676 | Process or Activity | Preventive | |
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Communicate | Preventive | |
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Communicate | Preventive | |
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Process or Activity | Preventive | |
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Communicate | Preventive | |
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Communicate | Preventive | |
Route notifications, as necessary. CC ID 12832 | Process or Activity | Preventive | |
Substantiate notifications, as necessary. CC ID 12831 | Process or Activity | Preventive | |
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Business Processes | Preventive | |
Prioritize notifications, as necessary. CC ID 12830 | Process or Activity | Preventive | |
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 [{be appropriate}When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: outputs, outcomes and the processes to achieve the responsibilities are periodically reported and presented with evidence that actions taken are reasonable and appropriate; § 4.2.2 ¶ 2 d) The governing body should: report on the process and outcomes of assessments to relevant stakeholders (see 6.5.3). § 4.3.2 ¶ 2 e) Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: accountability through accurate and timely reporting on its performance and stewardship of resources; § 5 ¶ 2 c) 2) Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: accountability through accurate and timely reporting on its performance and stewardship of resources; § 5 ¶ 2 c) 2) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: § 6.5.3.2 ¶ 1 c) The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Actionable Reports or Measurements | Preventive | |
Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Communicate | Preventive | |
Establish and maintain the organization's survey method. CC ID 12869 | Process or Activity | Preventive | |
Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Process or Activity | Preventive | |
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Establish/Maintain Documentation | Preventive | |
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an internal reporting program. CC ID 12409 [{individual}To exercise effective oversight, the governing body should: require those to whom they have delegated to provide timely and accurate reports on all material aspects of the management of the organization; § 6.4.3.1 ¶ 1 a) The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Business Processes | Preventive | |
Include transactions and events as a part of internal reporting. CC ID 12413 | Business Processes | Preventive | |
Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; § 6.5.3.2 ¶ 1 b) 2) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the way in which the organization's performance was achieved and whether this performance was reasonable given the organization's changing context governance policies, including organizational values; § 6.5.3.2 ¶ 1 c) 2) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)] | Communicate | Preventive | |
Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Establish/Maintain Documentation | Preventive | |
Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Establish/Maintain Documentation | Preventive | |
Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an external reporting program. CC ID 12876 | Communicate | Preventive | |
Provide identifying information about the organization to the responsible party. CC ID 16715 | Communicate | Preventive | |
Identify the material topics required to be reported on. CC ID 15654 | Business Processes | Preventive | |
Check the list of material topics for completeness. CC ID 15692 | Investigate | Preventive | |
Prioritize material topics used in reporting. CC ID 15678 | Communicate | Preventive | |
Review and approve the material topics, as necessary. CC ID 15670 | Process or Activity | Preventive | |
Define the thresholds for reporting in the external reporting program. CC ID 15679 | Establish/Maintain Documentation | Preventive | |
Include time requirements in the external reporting program. CC ID 16566 | Communicate | Preventive | |
Include information about the organizational culture in the external reporting program. CC ID 15610 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the organizational culture, including the organizational behaviour and perceptions of the organization's behaviour provided by relevant stakeholders; § 6.5.3.2 ¶ 1 c) 5)] | Establish/Maintain Documentation | Preventive | |
Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Communicate | Preventive | |
Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Communicate | Preventive | |
Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Establish/Maintain Documentation | Preventive | |
Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Establish/Maintain Documentation | Preventive | |
Include the information that was omitted in the confidential treatment application. CC ID 16593 | Establish/Maintain Documentation | Preventive | |
Analyze organizational objectives, functions, and activities. CC ID 00598 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: characteristics of the organization such as organizational type, structure, size, interdependencies, complexity, culture and its expected future progression; § 5 ¶ 5 Bullet 4 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b)] | Monitor and Evaluate Occurrences | Preventive | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Establish/Maintain Documentation | Preventive | |
Analyze the business environment in which the organization operates. CC ID 12798 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: § 5 ¶ 5 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; § 6.1.3.2 ¶ 1 a) Take steps to become appropriately informed of all aspects of the organization and the context within which it operates (such as legal, natural environment, social, economic, technical and personnel). Table 2 Column 2 Row 3 Bullet 1] | Business Processes | Preventive | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Process or Activity | Preventive | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Process or Activity | Preventive | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Process or Activity | Preventive | |
Include resources in the analysis of the internal business environment. CC ID 12942 [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's need for, and access to, resources, including financial resources; § 6.3.3.1.1 ¶ 2 f)] | Process or Activity | Preventive | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Process or Activity | Preventive | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Process or Activity | Preventive | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Process or Activity | Preventive | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: value generation model and organizational strategy; § 5 ¶ 5 Bullet 5] | Process or Activity | Preventive | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: organizational capabilities and opportunities. § 6.1.3.2 ¶ 1 e) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)] | Process or Activity | Preventive | |
Align assets with business functions and the business environment. CC ID 13681 | Business Processes | Preventive | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Communicate | Preventive | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Monitor and Evaluate Occurrences | Preventive | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)] | Monitor and Evaluate Occurrences | Preventive | |
Analyze the external environment in which the organization operates. CC ID 12799 [Responsible stewardship — The organization: considers the global context; § 5 ¶ 2 b) 3) {social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e)] | Business Processes | Preventive | |
Identify the external forces that may affect organizational objectives. CC ID 12960 [The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the relevant external systems on which the organization depends; § 6.11.3.3 ¶ 1 a)] | Process or Activity | Preventive | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Monitor and Evaluate Occurrences | Preventive | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 [While not defined as stakeholders, the natural environment and society as a whole should also be considered by the governing body in its decision-making because they affect or will be affected by the organization's activities. § 4.2.5 ¶ 2 {legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Business Processes | Preventive | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)] | Monitor and Evaluate Occurrences | Preventive | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 [{legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Business Processes | Preventive | |
Include society in the analysis of the external environment. CC ID 12963 [While not defined as stakeholders, the natural environment and society as a whole should also be considered by the governing body in its decision-making because they affect or will be affected by the organization's activities. § 4.2.5 ¶ 2 {legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Business Processes | Preventive | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Business Processes | Preventive | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Business Processes | Preventive | |
Include industry forces in the analysis of the external environment. CC ID 12904 [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)] | Business Processes | Preventive | |
Include threats in the analysis of the external environment. CC ID 12898 [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: important issues including global threats that evolve over time (e.g. climate change); § 6.1.3.2 ¶ 1 c)] | Business Processes | Preventive | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Business Processes | Preventive | |
Include legal requirements in the analysis of the external environment. CC ID 12896 | Business Processes | Preventive | |
Include technology in the analysis of the external environment. CC ID 12837 [{social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Business Processes | Preventive | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 [{legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Business Processes | Preventive | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 [Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to follow, including the parameters within which the organization is to do so. These expectations should be set mindfully and intentionally, considering the context within which the organization operates. § 6.7.3.1 ¶ 1 {internal context} When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: § 6.3.3.1.1 ¶ 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Business Processes | Preventive | |
Establish, implement, and maintain organizational objectives. CC ID 09959 [Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to follow, including the parameters within which the organization is to do so. These expectations should be set mindfully and intentionally, considering the context within which the organization operates. § 6.7.3.1 ¶ 1 Within the organization: The organization should fulfil the expectations set by the governing body. § 6.7.3.2 ¶ 1 b) {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1 The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. § 6.3.3.1.1 ¶ 1 Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Process or Activity | Preventive | |
Identify events that may affect organizational objectives. CC ID 12961 | Process or Activity | Preventive | |
Identify conditions that may affect organizational objectives. CC ID 12958 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: intended strategic outcomes; § 6.9.3.2 ¶ 2 d) 6)] | Process or Activity | Preventive | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: commitments and obligations associated with organizational activities and value generation processes; § 5 ¶ 5 Bullet 6] | Business Processes | Preventive | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 [New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: valuable opportunities are leveraged; § 6.8.3.4 ¶ 1 Bullet 2 To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that issues and opportunities affecting stakeholder expectations are identified and articulated (see 6.9); § 6.10.3 ¶ 1 b) Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: organizational capabilities and opportunities. § 6.1.3.2 ¶ 1 e) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: potential opportunities for innovation. § 6.3.3.1.1 ¶ 2 k) Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: important issues including global threats that evolve over time (e.g. climate change); § 6.1.3.2 ¶ 1 c)] | Business Processes | Preventive | |
Prioritize organizational objectives. CC ID 09960 [{social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1] | Business Processes | Preventive | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Business Processes | Preventive | |
Establish, implement, and maintain a value generation model. CC ID 15591 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: value generation model and organizational strategy; § 5 ¶ 5 Bullet 5 {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the value generation model; § 6.9.3.2 ¶ 2 d) 5) The governing body should ensure that an overarching value generation model is determined for the organization and is appropriately communicated. § 6.2.3.1 ¶ 1 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a) Therefore, the governing body should: ensure that interactions and dependencies within the organization's value generation model are articulated in an integrated manner; § 6.11.3.1 ¶ 2 a) {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3 The governing body should ensure that the organization's value generation model (see 6.2): describes how the organization's key structures, processes, relationships, information, decision-making, reporting and other aspects inter-relate and are used to generate value over time. § 6.11.3.2 ¶ 1 b)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 [The governing body should ensure that an overarching value generation model is determined for the organization and is appropriately communicated. § 6.2.3.1 ¶ 1 To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)] | Communicate | Preventive | |
Include value distribution in the value generation model. CC ID 15603 [{procedure}This value generation model should clarify: how the value generated is to be retained and distributed (sustain). § 6.2.3.1 ¶ 2 Bullet 4 {be viable} The governing body should ensure that value is retained and distributed in a manner that ensures that the organization is agile, viable over time and achieves its value generation objectives. § 6.2.3.5 ¶ 1 The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include value retention in the value generation model. CC ID 15600 [{procedure}This value generation model should clarify: how the value generated is to be retained and distributed (sustain). § 6.2.3.1 ¶ 2 Bullet 4 {be viable} The governing body should ensure that value is retained and distributed in a manner that ensures that the organization is agile, viable over time and achieves its value generation objectives. § 6.2.3.5 ¶ 1 The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include value generation procedures in the value generation model. CC ID 15599 [{procedure}This value generation model should clarify: how the organization should generate that value (create); § 6.2.3.1 ¶ 2 Bullet 2 The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) {procedure}This value generation model should clarify: how the generation of value will be assured (deliver); § 6.2.3.1 ¶ 2 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain value generation objectives. CC ID 15583 [Effective performance — The organization: generates value for stakeholders; § 5 ¶ 2 a) 3) {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1 Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: determining the organization's approach to value generation; § 4.1 ¶ 3 b) {social context}{economic context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social, and economic context within which it operates. Table 1 Column 4 Row 3 {social context}{economic context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. § 6.2.1 ¶ 1 This value generation model should clarify: what value the organization is intending to generate (define); § 6.2.3.1 ¶ 2 Bullet 1 {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1 The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: § 6.2.3.4 ¶ 1 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the defined value generation objectives; § 6.3.3.1.1 ¶ 2 d) The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so that the generation of value in the present context is balanced with the innovation required to generate value in the future. § 6.3.3.2.2 ¶ 1 The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: assurance is obtained on the realization of the value generation objectives. § 6.2.3.4 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 [The governing body should ensure that the organization considers undertaking specific measures to contribute to the wellbeing of society. Philanthropy can have a positive impact on society. However, it should not be used by an organization as a substitute for integrating social responsibility into the organization (see ISO 26000:2010, 3.3.4). § 6.10.3 ¶ 3 The governing body should ensure that the organization considers undertaking specific measures to contribute to the wellbeing of society. Philanthropy can have a positive impact on society. However, it should not be used by an organization as a substitute for integrating social responsibility into the organization (see ISO 26000:2010, 3.3.4). § 6.10.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 [{be dynamic}{be sensitive}The governing body should ensure that: the organizational purpose remains dynamic and sensitive to the changing context within which the organization operates. § 6.1.3.2 ¶ 2 Bullet 4 When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: organizational purpose and organizational values; § 5 ¶ 5 Bullet 1 {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the organizational purpose; § 6.9.3.2 ¶ 2 d) 3) {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the organizational values; § 6.9.3.2 ¶ 2 d) 4) Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: setting and committing to the organizational purpose and organizational values; § 4.1 ¶ 3 a) Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 Effective performance — The organization: is true to its purpose; § 5 ¶ 2 a) 1)] | Establish/Maintain Documentation | Preventive | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Establish/Maintain Documentation | Preventive | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 [{member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1 To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the organizational purpose expresses the organization's approach to stakeholders; § 6.10.3 ¶ 1 c) The governing body should ensure that: the essence of the organizational purpose is documented in a summary statement to promote effective communication and to assess and determine organization-wide actions and success; § 6.1.3.2 ¶ 2 Bullet 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; § 6.1.3.2 ¶ 1 a) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a) The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Establish/Maintain Documentation | Preventive | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Establish/Maintain Documentation | Preventive | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b) The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Establish/Maintain Documentation | Preventive | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Establish/Maintain Documentation | Preventive | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Establish/Maintain Documentation | Preventive | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 [The governing body should ensure that the organizational purpose and organizational values and their centrality are effectively communicated throughout the organization and are available to the organization's stakeholders. § 6.1.3.4 ¶ 2 The governing body should ensure that: the organizational purpose is available to all stakeholders and reflected in the constituting documents where possible; § 6.1.3.2 ¶ 2 Bullet 2 The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1 To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a) To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; § 6.10.3 ¶ 1 d)] | Communicate | Preventive | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 [To ensure that the organization is acting in a socially responsible way, the governing body should: report the organization's social responsibility objectives clearly and transparently so that stakeholders can understand these objectives, how they are being met and what performance is being achieved against them, as well as provide the necessary evidence to support such claims; § 6.10.3 ¶ 1 h)] | Communicate | Preventive | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the organization's performance in fulfilling the organizational purpose; § 6.5.3.2 ¶ 1 c) 1) To ensure that the organization is acting in a socially responsible way, the governing body should: report the organization's social responsibility objectives clearly and transparently so that stakeholders can understand these objectives, how they are being met and what performance is being achieved against them, as well as provide the necessary evidence to support such claims; § 6.10.3 ¶ 1 h) The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the integrated view of the relationships between the organization's value generation model and the systems on which this depends (and which the organization also affects through its value generation); § 6.11.3.4 ¶ 2 a) The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. § 6.1.3.4 ¶ 1 The governing body should ensure that the organization's value generation model (see 6.2): describes how the organization's key structures, processes, relationships, information, decision-making, reporting and other aspects inter-relate and are used to generate value over time. § 6.11.3.2 ¶ 1 b) Be open about decisions and activities that affect the natural environment, society and the economy, and be willing to communicate these in a clear, accurate, timely, honest and complete manner. Table 2 Column 2 Row 4 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Business Processes | Preventive | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Process or Activity | Preventive | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 [{social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e) Therefore, the governing body should: ensure that the natural environmental, social and economic system relationships that underpin the organization's value generation model are identified and assessed; § 6.11.3.1 ¶ 2 b)] | Process or Activity | Preventive | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Business Processes | Preventive | |
Identify all interested personnel and affected parties. CC ID 12845 [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1] | Process or Activity | Detective | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 [When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. § 6.6.3 ¶ 2] | Process or Activity | Preventive | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [{member stakeholder}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: expectations of relevant stakeholders, particularly member and reference stakeholders; § 5 ¶ 5 Bullet 3 {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1 {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1 The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's identification of, and engagement with, relevant stakeholders (see 6.6); § 6.4.3.2 ¶ 1 e) The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. § 6.6.1 ¶ 1 The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: § 6.6.3 ¶ 3 The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that the wider organizational stakeholders are considered in the organization's use of information technology, particularly as it relates to human capital. § 6.8.3.4 ¶ 2 f) {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: stakeholders; § 6.9.3.2 ¶ 2 d) 1) {stakeholder engagement process}To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); § 6.10.3 ¶ 1 a) The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. Table 1 Column 4 Row 7 {member stakeholder}{reference stakeholder}Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: member, reference and other relevant stakeholder expectations; § 6.1.3.2 ¶ 1 d) The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: relevant stakeholder expectations (see 6.6 and 6.10); § 6.11.3.1 ¶ 1 Bullet 1 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: relevant stakeholder expectations; § 6.3.3.1.1 ¶ 2 j) Effective performance — The organization: remains in alignment with its policies and relevant stakeholder expectations. § 5 ¶ 2 a) 4) Responsible stewardship — The organization: engenders the trust and confidence of the communities within which it operates, and beyond. § 5 ¶ 2 b) 5) A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: understanding and articulating the opposing perspectives; § 6.7.3.4 ¶ 2 b) {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Business Processes | Preventive | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 [The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. § 6.8.1 ¶ 1 The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1 The recognition that data can be a strategic asset (or liability) means that the governing body should: acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; § 6.8.3.3 ¶ 1 c) The recognition that data can be a strategic asset (or liability) means that the governing body should: understand the use, and potential use, of data by the organization and others (e.g. suppliers, customers, regulators and other relevant stakeholders as well as competitors and those who can misuse the data); § 6.8.3.3 ¶ 1 b) The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: § 6.8.3.4 ¶ 2 The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. Table 1 Column 4 Row 9 {be responsible}{be ethical} The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. § 6.8.3.1 ¶ 2 The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); § 6.4.3.2 ¶ 1 h) The recognition that data can be a strategic asset (or liability) means that the governing body should: ensure that the organization establishes a formal approach to its management of data and, where necessary, assurance is provided (see 6.4.3); § 6.8.3.3 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Establish/Maintain Documentation | Preventive | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Establish/Maintain Documentation | Preventive | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Establish/Maintain Documentation | Preventive | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Establish/Maintain Documentation | Preventive | |
Include data monitoring in the data governance and management practices. CC ID 15303 [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1 The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the adoption of a system to ensure the rights, obligations and constraints of data sets are understood and tracked, e.g. privacy and intellectual property right obligations; § 6.8.3.4 ¶ 2 a)] | Establish/Maintain Documentation | Preventive | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the adoption of a system to ensure the rights, obligations and constraints of data sets are understood and tracked, e.g. privacy and intellectual property right obligations; § 6.8.3.4 ¶ 2 a)] | Establish/Maintain Documentation | Preventive | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Establish/Maintain Documentation | Preventive | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Establish/Maintain Documentation | Preventive | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Establish/Maintain Documentation | Preventive | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Establish/Maintain Documentation | Preventive | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Data and Information Management | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Data and Information Management | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Data and Information Management | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Data and Information Management | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Data and Information Management | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Data and Information Management | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Data and Information Management | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Data and Information Management | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Data and Information Management | Preventive | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Establish/Maintain Documentation | Preventive | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Data and Information Management | Preventive | |
Approve the data classification scheme. CC ID 13858 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Communicate | Preventive | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Establish/Maintain Documentation | Preventive | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Establish/Maintain Documentation | Preventive | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Establish/Maintain Documentation | Preventive | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Establish/Maintain Documentation | Preventive | |
Ensure the data dictionary is complete and accurate. CC ID 13527 | Investigate | Detective | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Establish/Maintain Documentation | Preventive | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Establish/Maintain Documentation | Preventive | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Establish/Maintain Documentation | Preventive | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Establish/Maintain Documentation | Preventive | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Establish/Maintain Documentation | Preventive | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Establish/Maintain Documentation | Preventive | |
Include the data source in the data dictionary. CC ID 13519 | Establish/Maintain Documentation | Preventive | |
Include the nature of each element in the data dictionary. CC ID 13518 | Establish/Maintain Documentation | Preventive | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Communicate | Preventive | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 [Responsible stewardship — The organization: ensures its contribution to sustainable development; § 5 ¶ 2 b) 4) {be viable} The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. Table 1 Column 4 Row 12 {be viable} The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. § 6.11.1 ¶ 1 The aim of governance, and the duty of the governing body, is to create the conditions for, and to enable, the organization to perform over time, such that it fulfils its organizational purpose and generates value as intended. An organization can be said to be contributing to sustainable development, and to be sustainable, when it generates value in a manner that meets the needs of the present without compromising the ability of future generations to meet their own needs. By aligning an organization's governance with sustainable development, e.g. via the UN SDGs, governing bodies help create the conditions for an organization's future success. As a result, governing bodies should ensure that sustainable development and sustainability are fundamental considerations when governing and applying the governance principles in this document. § 4.2.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Behavior | Preventive | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Establish/Maintain Documentation | Preventive | |
Monitor regulatory trends to maintain compliance. CC ID 00604 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: short-, medium- and long-term trends including social responsibility and sustainability trends; § 6.9.3.2 ¶ 2 d) 2)] | Monitor and Evaluate Occurrences | Detective | |
Monitor for new Information Security solutions. CC ID 07078 | Monitor and Evaluate Occurrences | Detective | |
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Technical Security | Detective | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Communicate | Preventive | |
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Communicate | Corrective | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Establish/Maintain Documentation | Preventive | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Establish/Maintain Documentation | Preventive | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Establish/Maintain Documentation | Preventive | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Establish/Maintain Documentation | Preventive | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Communicate | Preventive | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Communicate | Preventive | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Establish/Maintain Documentation | Preventive | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Establish/Maintain Documentation | Preventive | |
Enforce a continuous Quality Control system. CC ID 01005 | Business Processes | Detective | |
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Testing | Detective | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 | Establish/Maintain Documentation | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Communicate | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Communicate | Preventive | |
Correct errors and deficiencies in a timely manner. CC ID 13501 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)] | Business Processes | Corrective | |
Include quality objectives in the Quality Management program. CC ID 13693 | Establish/Maintain Documentation | Preventive | |
Include records management in the quality management system. CC ID 15055 | Establish/Maintain Documentation | Preventive | |
Include risk management in the quality management system. CC ID 15054 | Establish/Maintain Documentation | Preventive | |
Include data management procedures in the quality management system. CC ID 15052 | Establish/Maintain Documentation | Preventive | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Establish/Maintain Documentation | Preventive | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Establish/Maintain Documentation | Preventive | |
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Systems Design, Build, and Implementation | Preventive | |
Include resource management in the quality management system. CC ID 15026 [The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: § 6.2.3.1 ¶ 4 The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: recognizes and optimizes the interaction between the required resources. § 6.2.3.3 ¶ 1 c) The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)] | Establish/Maintain Documentation | Preventive | |
Include communication protocols in the quality management system. CC ID 15025 | Establish/Maintain Documentation | Preventive | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Establish/Maintain Documentation | Preventive | |
Include technical specifications in the quality management system. CC ID 15021 | Establish/Maintain Documentation | Preventive | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Establish/Maintain Documentation | Preventive | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Establish/Maintain Documentation | Preventive | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Business Processes | Detective | |
Include program testing standards in the Quality Management program. CC ID 01017 | Establish/Maintain Documentation | Preventive | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 | Business Processes | Detective | |
Include system testing standards in the Quality Management program. CC ID 01018 | Establish/Maintain Documentation | Preventive | |
Include an issue tracking system in the Quality Management program. CC ID 06824 | Systems Design, Build, and Implementation | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1 The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: identification of all resources involved in the model; § 6.2.3.1 ¶ 4 a) The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the relevant external systems on which the organization depends; § 6.11.3.3 ¶ 1 a)] | Business Processes | Preventive | |
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
Analyze organizational policies, as necessary. CC ID 14037 | Establish/Maintain Documentation | Detective | |
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)] | Business Processes | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 | Establish/Maintain Documentation | Preventive | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [Ethical and effective leadership should be demonstrated in three areas: the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. § 6.7.3.1 ¶ 4 c) {human right}The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: human and labour rights in all countries of operation are respected; § 6.6.3 ¶ 3 d) Within the organization's external context: Where the organization has set contextual expectations, such as commitments to stakeholders and the natural environment, the organization should fulfil these expectations as set. § 6.7.3.2 ¶ 1 c) {external system}The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the inter-relationships between the organization and these systems; § 6.11.3.3 ¶ 1 b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 [Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: on the way it has implemented the key aspects of practices in this document and any other practices used to apply the principles; § 5 ¶ 7 Bullet 1] | Communicate | Preventive | |
Approve all compliance documents. CC ID 06286 [{individual}The governing body should engage with strategic planning by: reviewing, assessing and approving the plans developed by those to whom they have delegated; § 6.3.3.2.1 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
Align the Authority Document list with external requirements. CC ID 06288 [The governing body should ensure that: the organizational purpose is available to all stakeholders and reflected in the constituting documents where possible; § 6.1.3.2 ¶ 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Establish Roles | Preventive | |
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Establish/Maintain Documentation | Preventive | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Establish/Maintain Documentation | Preventive | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Establish/Maintain Documentation | Detective | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Establish/Maintain Documentation | Preventive | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Business Processes | Preventive | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Establish/Maintain Documentation | Preventive | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Establish Roles | Preventive | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Establish/Maintain Documentation | Preventive | |
Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Establish Roles | Preventive | |
Establish and maintain a compliance oversight committee. CC ID 00765 [The governing body should direct and oversee the organization to ensure accountability is practised throughout (see 6.4). § 6.5.3.3 ¶ 2 {be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2] | Establish Roles | Detective | |
Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 | Establish/Maintain Documentation | Detective | |
Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 | Establish/Maintain Documentation | Preventive | |
Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 | Establish/Maintain Documentation | Detective | |
Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 | Establish Roles | Preventive | |
Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 | Establish Roles | Preventive | |
Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 | Establish Roles | Preventive | |
Involve the Board of Directors or senior management in Information Governance. CC ID 00609 | Establish Roles | Preventive | |
Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 | Human Resources Management | Preventive | |
Address Information Security during the business planning processes. CC ID 06495 | Data and Information Management | Preventive | |
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 | Establish/Maintain Documentation | Preventive | |
Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 | Establish Roles | Preventive | |
Establish, implement, and maintain a strategic plan. CC ID 12784 [Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: directing and engaging with strategy to generate value; § 4.1 ¶ 3 c) The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. Table 1 Column 4 Row 4 Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. § 6.3.1 ¶ 1 {individual}The governing body should engage with strategic planning by: reviewing, assessing and approving the plans developed by those to whom they have delegated; § 6.3.3.2.1 ¶ 1 c) The governing body should engage with strategic planning by: overseeing (see 6.4) the implementation of these plans and ensuring that they meet the agreed strategic outcomes. § 6.3.3.2.1 ¶ 1 d) The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so that the generation of value in the present context is balanced with the innovation required to generate value in the future. § 6.3.3.2.2 ¶ 1 The governing body should steer the organizational strategy by means of: § 6.3.3.2.2 ¶ 2 Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4 The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)] | Establish/Maintain Documentation | Preventive | |
Determine progress toward the objectives of the strategic plan. CC ID 12944 [The governing body should: develop, and competently use, appropriate criteria for measurement that will indicate progress towards the fulfilment of the organizational purpose, within the set parameters, via the organizational strategy; § 4.3.2 ¶ 2 b) Ethical and effective leadership is demonstrated when the governing body: ensures that the organization is, and is seen to be, following the expectations as set. § 6.7.3.1 ¶ 3 Bullet 3 The outcomes, whether positive or negative, are determined by the expectations which have been set. Leadership determines whether these expectations are fulfilled. § 6.7.3.2 ¶ 2 The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the envisaged time scales of the strategic outcomes and of the organizational strategy; § 6.3.3.1.1 ¶ 2 b)] | Process or Activity | Preventive | |
Include acting with integrity in the strategic plan. CC ID 12870 [At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in this document. § 4.3.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)] | Communicate | Preventive | |
Include the outsource partners in the strategic plan, as necessary. CC ID 13960 | Establish/Maintain Documentation | Preventive | |
Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a planning policy. CC ID 14673 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain planning procedures. CC ID 14698 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 | Communicate | Preventive | |
Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 | Communicate | Preventive | |
Include compliance requirements in the planning policy. CC ID 14688 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the planning policy. CC ID 14687 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the planning policy. CC ID 14686 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the planning policy. CC ID 14685 | Establish/Maintain Documentation | Preventive | |
Include the scope in the planning policy. CC ID 14684 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the planning policy. CC ID 14683 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security planning policy. CC ID 14027 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the security planning policy. CC ID 14131 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the security planning policy. CC ID 14130 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the security planning policy. CC ID 14129 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the security planning policy. CC ID 14128 | Establish/Maintain Documentation | Preventive | |
Include the scope in the security planning policy. CC ID 14127 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the security planning policy. CC ID 14126 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 | Communicate | Preventive | |
Establish, implement, and maintain security planning procedures. CC ID 14060 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Communicate | Preventive | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: § 6.8.3.2.1 ¶ 1 The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b) The governing body should ensure that decisions are transparent and aligned with broader societal expectations. Table 1 Column 4 Row 11 Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: competence and probity in the manner in which it makes decisions. § 5 ¶ 2 c) 5) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: maintain an appropriate balance between guiding discussions to a decision and ensuring that every member has the opportunity to express their independent assessment; § 6.8.3.2.1 ¶ 1 a) Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. Table 2 Column 2 Row 3 Bullet 2 The governing body should ensure that decisions are transparent and aligned with broader societal expectations. § 6.10.1 ¶ 1 The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) The governing body should steer the organizational strategy by means of: reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; § 6.3.3.2.2 ¶ 2 e) The governing body should steer the organizational strategy by means of: decision-making, specifically, the strategic deployment of resources. § 6.3.3.2.2 ¶ 2 j) A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: reconciling the perspectives, considering how each position can support the other; § 6.7.3.4 ¶ 2 d) {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1 Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4 The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)] | Establish/Maintain Documentation | Preventive | |
Align the reporting methodology with the decision management strategy. CC ID 15659 | Business Processes | Preventive | |
Include an economic impact analysis in the decision management strategy. CC ID 14015 | Establish/Maintain Documentation | Preventive | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 | Establish/Maintain Documentation | Preventive | |
Include criteria for compliance in the decision-making criteria. CC ID 12951 | Establish/Maintain Documentation | Preventive | |
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 | Establish/Maintain Documentation | Preventive | |
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h)] | Establish/Maintain Documentation | Preventive | |
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 [A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: identifying the advantages and disadvantages of each; § 6.7.3.4 ¶ 2 c)] | Establish/Maintain Documentation | Preventive | |
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 [To ensure that the organization is acting in a socially responsible way, the governing body should: steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); § 6.10.3 ¶ 1 f) When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: functional requirements of the organizational governance framework. § 5 ¶ 5 Bullet 7 The governing body should ensure that: the organizational purpose is core to its governance practices, deliberations and decision-making; § 6.1.3.2 ¶ 2 Bullet 3 Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 Ensure that diversity and inclusion are understood and incorporated into all organizational decision-making by including factors such as gender, age, ethnicity, sexual orientation, education, perspectives, nationality, disability and beliefs. Table 2 Column 2 Row 5 Bullet 1 The governing body should oversee the organization's management of risk (see 6.4), ensuring that: decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; § 6.9.3.4 ¶ 1 g)] | Process or Activity | Preventive | |
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 [Ethical and effective leadership is demonstrated when the governing body: sets expectations for the organization using robust decision-making processes (see 6.8.3); § 6.7.3.1 ¶ 3 Bullet 1 Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. § 6.1.3.4 ¶ 3] | Process or Activity | Preventive | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 | Process or Activity | Preventive | |
Identify and document the events that initiate the decision management strategy. CC ID 06914 [A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: recognizing and identifying the dilemma; § 6.7.3.4 ¶ 2 a)] | Establish/Maintain Documentation | Detective | |
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 | Process or Activity | Preventive | |
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: § 6.8.3.2.1 ¶ 1 The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h) The governing body should steer the organizational strategy by means of: reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; § 6.3.3.2.2 ¶ 2 e)] | Behavior | Preventive | |
Take actions in accordance with the decision-making criteria. CC ID 12909 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h) A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: mapping an associated action plan. § 6.7.3.4 ¶ 2 e)] | Process or Activity | Preventive | |
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b) When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: expected outcomes are negotiated, specified and agreed; § 4.2.2 ¶ 2 a)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 [Be open about decisions and activities that affect the natural environment, society and the economy, and be willing to communicate these in a clear, accurate, timely, honest and complete manner. Table 2 Column 2 Row 4 Bullet 1] | Communicate | Preventive | |
Establish, implement, and maintain an information technology process framework. CC ID 13648 | Establish/Maintain Documentation | Preventive | |
Include maturity models in the Information Technology process framework. CC ID 13652 | Establish/Maintain Documentation | Preventive | |
Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 | Establish/Maintain Documentation | Preventive | |
Include Information Technology process structures in the Information Technology process framework. CC ID 13650 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a tactical plan. CC ID 12785 [The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. § 6.3.3.1.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include acting with integrity in the tactical plan. CC ID 12871 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: § 6.8.3.4 ¶ 2 The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e) The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; § 6.8.3.4 ¶ 2 d)] | Establish/Maintain Documentation | Preventive | |
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 [The recognition that data can be a strategic asset (or liability) means that the governing body should: acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; § 6.8.3.3 ¶ 1 c) The recognition that data can be a strategic asset (or liability) means that the governing body should: ensure that the information requirements of the organization are sufficiently supported by its current and future technology capabilities; § 6.8.3.3 ¶ 1 d)] | Establish/Maintain Documentation | Preventive | |
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Human Resources Management | Preventive | |
Include the transparency goals in the Information Governance Plan. CC ID 10056 | Establish/Maintain Documentation | Preventive | |
Include the information integrity goals in the Information Governance Plan. CC ID 10057 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: give confidence in the integrity of the information used, e.g. describing assurance processes applied (see 6.4); § 6.5.3.2 ¶ 1 e)] | Establish/Maintain Documentation | Preventive | |
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Establish/Maintain Documentation | Preventive | |
Align business continuity objectives with the business continuity policy. CC ID 12408 | Establish/Maintain Documentation | Preventive | |
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Business Processes | Corrective | |
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)] | Business Processes | Preventive | |
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Establish/Maintain Documentation | Preventive | |
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Establish/Maintain Documentation | Preventive | |
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Establish/Maintain Documentation | Preventive | |
Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Establish/Maintain Documentation | Preventive | |
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Business Processes | Preventive | |
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 | Establish/Maintain Documentation | Preventive | |
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Establish/Maintain Documentation | Preventive | |
Assign senior management to approve business cases. CC ID 13068 | Human Resources Management | Preventive | |
Include milestones for each project phase in the Information Technology project plan. CC ID 12621 | Establish/Maintain Documentation | Preventive | |
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Establish/Maintain Documentation | Corrective | |
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Establish/Maintain Documentation | Preventive | |
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Establish/Maintain Documentation | Preventive | |
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Establish/Maintain Documentation | Preventive | |
Include a search plan in the counterterror protective security plan. CC ID 06865 | Establish/Maintain Documentation | Preventive | |
Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Establish/Maintain Documentation | Preventive | |
Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 | Establish/Maintain Documentation | Preventive | |
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 | Monitor and Evaluate Occurrences | Detective | |
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 | Actionable Reports or Measurements | Preventive | |
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Actionable Reports or Measurements | Preventive | |
Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Actionable Reports or Measurements | Preventive | |
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Actionable Reports or Measurements | Preventive | |
Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094 | Human Resources Management | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving governance environment. § 4.3.2 ¶ 1 {individual}The governing body should steer the organizational strategy by means of: monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; § 6.3.3.2.2 ¶ 2 g)] | Business Processes | Preventive | |
Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 | Behavior | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b) {be financially sound}The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's financial results and financial resources, ensuring that the organization remains financially sound; § 6.4.3.2 ¶ 1 f)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Establish/Maintain Documentation | Preventive | |
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Communicate | Preventive | |
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Business Processes | Preventive | |
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Business Processes | Preventive | |
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Business Processes | Preventive | |
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Investigate | Detective | |
Attach the required information to each funds transfer. CC ID 16756 | Business Processes | Preventive | |
Verify all required information is attached to each funds transfer. CC ID 16755 | Business Processes | Detective | |
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Business Processes | Preventive | |
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Testing | Preventive | |
Include communication protocols in the financial management program. CC ID 16763 | Establish/Maintain Documentation | Preventive | |
Include ongoing monitoring in the financial management program. CC ID 16762 | Process or Activity | Preventive | |
Employ tools to manage settlement and funding flows. CC ID 16743 | Process or Activity | Preventive | |
Refrain from setting up anonymous financial accounts. CC ID 16721 | Business Processes | Preventive | |
Identify and maintain positions in financial accounts. CC ID 16751 | Business Processes | Preventive | |
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Establish/Maintain Documentation | Preventive | |
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Process or Activity | Preventive | |
Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Establish/Maintain Documentation | Preventive | |
Document the rationale for the amount of financial resources being held. CC ID 16688 | Establish/Maintain Documentation | Preventive | |
Supplement financial resources, as necessary. CC ID 16685 | Business Processes | Preventive | |
Establish, implement, and maintain collateral procedures. CC ID 16653 | Establish/Maintain Documentation | Preventive | |
Include the use of appropriate models in the collateral procedures. CC ID 16687 | Establish/Maintain Documentation | Preventive | |
Define the collateral requirements in the collateral procedures. CC ID 16686 | Establish/Maintain Documentation | Preventive | |
Test the collateral requirements for appropriateness. CC ID 16681 | Testing | Preventive | |
Limit the types of assets accepted as collateral. CC ID 16602 | Business Processes | Preventive | |
Avoid the use of concentrated holdings of assets. CC ID 16651 | Business Processes | Preventive | |
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Testing | Preventive | |
Include stress scenarios in the stress test plan. CC ID 16659 | Testing | Preventive | |
Analyze the effectiveness of the stress test plan. CC ID 16657 | Process or Activity | Detective | |
Perform stress testing in accordance with the stress test plan. CC ID 16652 | Testing | Preventive | |
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Communicate | Preventive | |
Identify and document the financial resources available for use. CC ID 16643 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain credit loss procedures. CC ID 16683 | Establish/Maintain Documentation | Preventive | |
Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a securities trading program. CC ID 16626 | Business Processes | Preventive | |
Include fairness and equitability standards in the securities trading program. CC ID 16690 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the securities trading program. CC ID 16689 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Establish/Maintain Documentation | Preventive | |
Include performance guarantees in the capital restoration plan. CC ID 16616 | Establish/Maintain Documentation | Preventive | |
Include corrective actions taken in the capital restoration plan. CC ID 16612 | Establish/Maintain Documentation | Preventive | |
Include required information in the capital restoration plan. CC ID 16609 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain valuation procedures. CC ID 16634 | Establish/Maintain Documentation | Preventive | |
Include investment information in approval requests for investments. CC ID 16590 | Business Processes | Preventive | |
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain lending policies. CC ID 16608 | Establish/Maintain Documentation | Preventive | |
Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Process or Activity | Preventive | |
Include the requirements for risk assessments in the lending policy. CC ID 16730 | Establish/Maintain Documentation | Preventive | |
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Establish/Maintain Documentation | Preventive | |
Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Establish/Maintain Documentation | Preventive | |
Include pricing structures in the lending policy. CC ID 16724 | Establish/Maintain Documentation | Preventive | |
Include monitoring requirements in the lending policy. CC ID 16710 | Establish/Maintain Documentation | Preventive | |
Include loan origination procedures in the lending policy. CC ID 16709 | Establish/Maintain Documentation | Preventive | |
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Establish/Maintain Documentation | Preventive | |
Include loan requirements in the lending policy. CC ID 16706 | Establish/Maintain Documentation | Preventive | |
Include appraisals and evaluations in the lending policy. CC ID 16705 | Establish/Maintain Documentation | Preventive | |
Include terms and conditions in the lending policy. CC ID 16695 | Establish/Maintain Documentation | Preventive | |
Include the scope and distribution of loans in the lending policy. CC ID 16693 | Establish/Maintain Documentation | Preventive | |
Include geographic areas in the lending policy. CC ID 16691 | Establish/Maintain Documentation | Preventive | |
Include underwriting guidelines in the lending policy. CC ID 16619 | Establish/Maintain Documentation | Preventive | |
Include credit review in the underwriting guidelines. CC ID 16765 | Establish/Maintain Documentation | Preventive | |
Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Establish/Maintain Documentation | Preventive | |
Include documentation requirements in the lending policy. CC ID 16617 | Establish/Maintain Documentation | Preventive | |
Include the purpose of the loan in the loan documentation. CC ID 16747 | Establish/Maintain Documentation | Preventive | |
Include the source of repayment in the loan documentation. CC ID 16746 | Establish/Maintain Documentation | Preventive | |
Include approval requirements in the lending policy. CC ID 16615 | Establish/Maintain Documentation | Preventive | |
Include reporting requirements in the lending policy. CC ID 16614 | Establish/Maintain Documentation | Preventive | |
Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Establish/Maintain Documentation | Preventive | |
Include loan administration procedures in the lending policy. CC ID 16610 | Establish/Maintain Documentation | Preventive | |
Include loan participation agreements in the loan administration procedures. CC ID 16745 | Establish/Maintain Documentation | Preventive | |
Include termination procedures in the loan participation agreement. CC ID 16753 | Establish/Maintain Documentation | Preventive | |
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Establish/Maintain Documentation | Preventive | |
Include servicing agreements in the loan administration procedures. CC ID 16744 | Establish/Maintain Documentation | Preventive | |
Include claims processing in the loan administration procedures. CC ID 16742 | Establish/Maintain Documentation | Preventive | |
Include forbearance management in the loan administration procedures. CC ID 16741 | Establish/Maintain Documentation | Preventive | |
Include foreclosure management in the loan administration procedures. CC ID 16740 | Establish/Maintain Documentation | Preventive | |
Include delinquency management in the loan administration procedures. CC ID 16739 | Establish/Maintain Documentation | Preventive | |
Include customer due diligence in the loan administration procedures. CC ID 16736 | Process or Activity | Preventive | |
Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Establish/Maintain Documentation | Preventive | |
Include loan closing in the loan administration procedures. CC ID 16734 | Establish/Maintain Documentation | Preventive | |
Include payoff statements in the loan administration procedures. CC ID 16733 | Establish/Maintain Documentation | Preventive | |
Include payment processing in the loan administration procedures. CC ID 16732 | Establish/Maintain Documentation | Preventive | |
Include loan reviews in the loan administration procedures. CC ID 16703 | Establish/Maintain Documentation | Preventive | |
Include collections in the loan administration procedures. CC ID 16701 | Establish/Maintain Documentation | Preventive | |
Include collateral inspections in the loan administration procedures. CC ID 16699 | Establish/Maintain Documentation | Preventive | |
Include disbursements in the loan administration procedures. CC ID 16697 | Establish/Maintain Documentation | Preventive | |
Review and approve lending policies. CC ID 16607 | Business Processes | Preventive | |
Establish, implement, and maintain a dividend policy. CC ID 16569 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the dividend policy. CC ID 16570 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain margin systems. CC ID 16601 | Business Processes | Preventive | |
Include valuation models in the margin system. CC ID 16663 | Data and Information Management | Preventive | |
Include procedures for collecting price data in the margin system. CC ID 16662 | Data and Information Management | Preventive | |
Include reliable sources for price data in the margin system. CC ID 16661 | Data and Information Management | Preventive | |
Validate the margin system on a regular basis. CC ID 16660 | Testing | Detective | |
Assess the properties of the margin model used in the margin system. CC ID 16658 | Process or Activity | Detective | |
Monitor the performance of the margin system. CC ID 16655 | Monitor and Evaluate Occurrences | Detective | |
Analyze the performance of the margin system. CC ID 16654 | Process or Activity | Detective | |
Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Business Processes | Preventive | |
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Establish/Maintain Documentation | Preventive | |
Determine the amount of assets to be held in escrow. CC ID 16575 | Investigate | Detective | |
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Communicate | Preventive | |
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)] | Establish/Maintain Documentation | Preventive | |
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Establish/Maintain Documentation | Preventive | |
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Establish/Maintain Documentation | Preventive | |
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Establish/Maintain Documentation | Preventive | |
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Data and Information Management | Preventive | |
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Data and Information Management | Preventive | |
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Data and Information Management | Preventive | |
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Data and Information Management | Preventive | |
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Data and Information Management | Preventive | |
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Data and Information Management | Preventive | |
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Data and Information Management | Preventive | |
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Data and Information Management | Preventive | |
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Data and Information Management | Preventive | |
Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Data and Information Management | Preventive | |
Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Establish/Maintain Documentation | Preventive | |
Include the call date in the securities transaction notification. CC ID 16680 | Establish/Maintain Documentation | Preventive | |
Include service charges and commissions in the securities transaction notification. CC ID 16702 | Establish/Maintain Documentation | Preventive | |
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Establish/Maintain Documentation | Preventive | |
Include the call price in the securities transaction notification. CC ID 16678 | Establish/Maintain Documentation | Preventive | |
Include debits and credits in the securities transaction notification. CC ID 16677 | Establish/Maintain Documentation | Preventive | |
Include transactions in the securities transaction notification. CC ID 16676 | Establish/Maintain Documentation | Preventive | |
Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Establish/Maintain Documentation | Preventive | |
Include yield information in the securities transaction notification. CC ID 16673 | Establish/Maintain Documentation | Preventive | |
Include redemption information in the securities transaction notification. CC ID 16672 | Establish/Maintain Documentation | Preventive | |
Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Establish/Maintain Documentation | Preventive | |
Include the type of call in the securities transaction notification. CC ID 16668 | Establish/Maintain Documentation | Preventive | |
Include an account statement in the securities transaction notification. CC ID 16666 | Establish/Maintain Documentation | Preventive | |
Include the yield to maturity in the securities transaction notification. CC ID 16665 | Establish/Maintain Documentation | Preventive | |
Include the execution price in the securities transaction notification. CC ID 16664 | Establish/Maintain Documentation | Preventive | |
Include the organization's role in the securities transaction notification. CC ID 16646 | Establish/Maintain Documentation | Preventive | |
Include the name of the broker in the securities transaction notification. CC ID 16647 | Establish/Maintain Documentation | Preventive | |
Include the name of the customer in the securities transaction notification. CC ID 16625 | Establish/Maintain Documentation | Preventive | |
Include the organization's name in the securities transaction notification. CC ID 16624 | Establish/Maintain Documentation | Preventive | |
Include confirmations in the securities transaction notification. CC ID 16623 | Establish/Maintain Documentation | Preventive | |
Include remunerations in the securities transaction notification. CC ID 16622 | Establish/Maintain Documentation | Preventive | |
Include requested information in the securities transaction notification. CC ID 16641 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Communicate | Preventive | |
Include the execution date in the securities transaction notification. CC ID 16620 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 [The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Establish/Maintain Documentation | Preventive | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Establish/Maintain Documentation | Preventive | |
Include the business need justification for lost value in the financial report. CC ID 15588 [The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Communicate | Preventive | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Establish/Maintain Documentation | Preventive | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Establish/Maintain Documentation | Preventive | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Establish/Maintain Documentation | Preventive | |
Include material contingencies in the financial statement. CC ID 16596 | Establish/Maintain Documentation | Preventive | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Establish/Maintain Documentation | Preventive | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Establish/Maintain Documentation | Preventive | |
Include assets and liabilities in the call report. CC ID 16729 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
Monitor the usage and capacity of critical assets. CC ID 14825 [The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: measurement and tracking of the organization's use of, and impact on, these resources; § 6.2.3.1 ¶ 4 b)] | Monitor and Evaluate Occurrences | Detective | |
Monitor the usage and capacity of Information Technology assets. CC ID 00668 | Monitor and Evaluate Occurrences | Detective | |
Monitor all outbound traffic from all systems. CC ID 12970 | Monitor and Evaluate Occurrences | Preventive | |
Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 | Behavior | Detective | |
Monitor systems for errors and faults. CC ID 04544 | Monitor and Evaluate Occurrences | Detective | |
Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Communicate | Corrective | |
Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitor and Evaluate Occurrences | Preventive | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [{be responsible}{be ethical}The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; § 6.8.3.4 ¶ 2 c)] | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for Denial of Service attacks. CC ID 01222 | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for unauthorized data transfers. CC ID 12971 | Monitor and Evaluate Occurrences | Preventive | |
Address operational anomalies within the incident management system. CC ID 11633 | Audits and Risk Management | Preventive | |
Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitor and Evaluate Occurrences | Detective | |
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Human Resources Management | Detective | |
Detect unauthorized access to systems. CC ID 06798 | Monitor and Evaluate Occurrences | Detective | |
Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitor and Evaluate Occurrences | Detective | |
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 | Audits and Risk Management | Preventive | |
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitor and Evaluate Occurrences | Detective | |
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for unauthorized mobile code. CC ID 10034 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b) To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d) The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Monitor the organization's exposure to threats, as necessary. CC ID 06494 | Monitor and Evaluate Occurrences | Preventive | |
Monitor and evaluate environmental threats. CC ID 13481 | Monitor and Evaluate Occurrences | Detective | |
Implement a fraud detection system. CC ID 13081 | Business Processes | Preventive | |
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
Monitor for new vulnerabilities. CC ID 06843 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Testing | Preventive | |
Test compliance controls for proper functionality. CC ID 00660 | Testing | Detective | |
Establish, implement, and maintain a system security plan. CC ID 01922 [{environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Testing | Preventive | |
Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
Create specific test plans to test each system component. CC ID 00661 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
Adhere to the system security plan. CC ID 11640 | Testing | Detective | |
Review the test plans for each system component. CC ID 00662 | Establish/Maintain Documentation | Preventive | |
Validate all testing assumptions in the test plans. CC ID 00663 | Testing | Detective | |
Document validated testing processes in the testing procedures. CC ID 06200 | Establish/Maintain Documentation | Preventive | |
Require testing procedures to be complete. CC ID 00664 | Testing | Detective | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Establish/Maintain Documentation | Preventive | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Testing | Preventive | |
Implement automated audit tools. CC ID 04882 | Acquisition/Sale of Assets or Services | Preventive | |
Assign senior management to approve test plans. CC ID 13071 | Human Resources Management | Preventive | |
Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Testing | Detective | |
Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: overseeing that the organization performs and behaves according to the expectations set by the governing body; § 4.1 ¶ 3 d)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 [The governing body should: set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; § 4.3.2 ¶ 2 c)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain risk management metrics. CC ID 01656 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Actionable Reports or Measurements | Detective | |
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Actionable Reports or Measurements | Detective | |
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Actionable Reports or Measurements | Detective | |
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Actionable Reports or Measurements | Detective | |
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Business Processes | Preventive | |
Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Audits and Risk Management | Preventive | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitor and Evaluate Occurrences | Detective | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [Recognize failures and mistakes and take appropriate action. Table 2 Column 2 Row 2 Bullet 5] | Establish/Maintain Documentation | Preventive | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Business Processes | Detective | |
Determine the causes of compliance violations. CC ID 12401 | Investigate | Corrective | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Establish/Maintain Documentation | Preventive | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Investigate | Detective | |
Correct compliance violations. CC ID 13515 | Process or Activity | Corrective | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Investigate | Detective | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: consequences, such as sanctions, for the non-fulfilment of a responsibility or non-adherence to established parameters are enforceable. § 4.2.2 ¶ 2 e)] | Behavior | Corrective | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 | Human Resources Management | Preventive | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a security program metrics program. CC ID 01660 | Establish/Maintain Documentation | Preventive | |
Report on the policies and controls that have been implemented by management. CC ID 01670 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)] | Establish/Maintain Documentation | Preventive | |
Report on the percentage of security management roles that have been assigned. CC ID 01671 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 [{individual}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: those who can influence the decisions of the governing body (such as member stakeholders, reference stakeholders and other stakeholders who can exert a controlling influence) and the nature and level of influence; § 6.5.3.2 ¶ 1 c) 4) The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)] | Establish/Maintain Documentation | Preventive | |
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Actionable Reports or Measurements | Detective | |
Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Actionable Reports or Measurements | Detective | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an audit metrics program. CC ID 01664 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Actionable Reports or Measurements | Detective | |
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Actionable Reports or Measurements | Detective | |
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Actionable Reports or Measurements | Detective | |
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a metrics standard and template. CC ID 02157 [The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: § 6.2.3.3 ¶ 1 The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i) Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)] | Establish/Maintain Documentation | Preventive | |
Convert data into standard units before reporting metrics. CC ID 15507 | Process or Activity | Corrective | |
Monitor compliance with the Quality Control system. CC ID 01023 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Actionable Reports or Measurements | Detective | |
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Actionable Reports or Measurements | Detective | |
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Actionable Reports or Measurements | Detective | |
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Actionable Reports or Measurements | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Actionable Reports or Measurements | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Actionable Reports or Measurements | Detective | |
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Actionable Reports or Measurements | Detective | |
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Actionable Reports or Measurements | Detective | |
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Actionable Reports or Measurements | Detective | |
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Actionable Reports or Measurements | Detective | |
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Actionable Reports or Measurements | Detective | |
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Actionable Reports or Measurements | Detective | |
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Actionable Reports or Measurements | Detective | |
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Actionable Reports or Measurements | Detective | |
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Actionable Reports or Measurements | Detective | |
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Actionable Reports or Measurements | Detective | |
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Actionable Reports or Measurements | Detective | |
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Business Processes | Preventive | |
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Actionable Reports or Measurements | Detective | |
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Actionable Reports or Measurements | Detective | |
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Business Processes | Preventive | |
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Actionable Reports or Measurements | Detective | |
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Business Processes | Preventive | |
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Actionable Reports or Measurements | Detective | |
Report on the percentage of servers located in controlled access areas. CC ID 02067 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain waste management metrics. CC ID 16152 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain emissions management metrics. CC ID 16145 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain financial management metrics. CC ID 16749 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Business Processes | Preventive | |
Report on the percentage of unique active user identifiers. CC ID 02074 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Actionable Reports or Measurements | Detective | |
Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Business Processes | Preventive | |
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Actionable Reports or Measurements | Detective | |
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Actionable Reports or Measurements | Detective | |
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Actionable Reports or Measurements | Detective | |
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Actionable Reports or Measurements | Detective | |
Report on the percentage of users with access to shared accounts. CC ID 04573 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Business Processes | Preventive | |
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Actionable Reports or Measurements | Detective | |
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Log Management | Preventive | |
Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Log Management | Detective | |
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Log Management | Detective | |
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Log Management | Detective | |
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Business Processes | Preventive | |
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Actionable Reports or Measurements | Detective | |
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Actionable Reports or Measurements | Detective | |
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Actionable Reports or Measurements | Detective | |
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Business Processes | Preventive | |
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Actionable Reports or Measurements | Detective | |
Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Actionable Reports or Measurements | Detective | |
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Business Processes | Preventive | |
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with all approved patches installed. CC ID 02113 | Actionable Reports or Measurements | Detective | |
Report on the mean time from patch availability to patch installation. CC ID 02114 | Actionable Reports or Measurements | Detective | |
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Business Processes | Preventive | |
Establish, implement, and maintain a network activity baseline. CC ID 13188 | Technical Security | Detective | |
Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Actionable Reports or Measurements | Detective | |
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Business Processes | Preventive | |
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Actionable Reports or Measurements | Detective | |
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Actionable Reports or Measurements | Detective | |
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Actionable Reports or Measurements | Detective | |
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Business Processes | Preventive | |
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Actionable Reports or Measurements | Detective | |
Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Actionable Reports or Measurements | Detective | |
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Business Processes | Preventive | |
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Actionable Reports or Measurements | Detective | |
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Actionable Reports or Measurements | Detective | |
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Actionable Reports or Measurements | Detective | |
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Actionable Reports or Measurements | Detective | |
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Actionable Reports or Measurements | Detective | |
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Actionable Reports or Measurements | Detective | |
Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Communicate | Preventive | |
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a log management program. CC ID 00673 | Establish/Maintain Documentation | Preventive | |
Deploy log normalization tools, as necessary. CC ID 12141 | Technical Security | Preventive | |
Restrict access to logs to authorized individuals. CC ID 01342 | Log Management | Preventive | |
Restrict access to audit trails to a need to know basis. CC ID 11641 | Technical Security | Preventive | |
Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Log Management | Preventive | |
Back up audit trails according to backup procedures. CC ID 11642 | Systems Continuity | Preventive | |
Back up logs according to backup procedures. CC ID 01344 | Log Management | Preventive | |
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Log Management | Preventive | |
Identify hosts with logs that are not being stored. CC ID 06314 | Log Management | Preventive | |
Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Log Management | Preventive | |
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Log Management | Preventive | |
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Log Management | Preventive | |
Protect logs from unauthorized activity. CC ID 01345 | Log Management | Preventive | |
Perform testing and validating activities on all logs. CC ID 06322 | Log Management | Preventive | |
Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Log Management | Preventive | |
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Configuration | Preventive | |
Preserve the identity of individuals in audit trails. CC ID 10594 | Log Management | Preventive | |
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Audits and Risk Management | Preventive | |
Monitor the performance of the governance, risk, and compliance capability. CC ID 12857 [To exercise effective oversight, the governing body should: assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. § 6.4.3.1 ¶ 1 d) The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a) The governing body should oversee organizational performance by assessing and taking corrective action based on: compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; § 6.4.3.2 ¶ 1 d) Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3 To ensure that the organization is acting in a socially responsible way, the governing body should: measure performance against objectives related to socially responsible behaviour; § 6.10.3 ¶ 1 g) The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)] | Monitor and Evaluate Occurrences | Preventive | |
Monitor the organizational culture. CC ID 12782 [The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: the organizational culture is responsive to relevant stakeholders' views; § 6.6.3 ¶ 3 b) The governing body should steer the organizational strategy by means of: the organizational culture, including the cultural tone the governing body sets through its ethos; § 6.3.3.2.2 ¶ 2 a)] | Monitor and Evaluate Occurrences | Preventive | |
Monitor for changes to the organizational culture that have a cumulative effect on organizational objectives. CC ID 12886 | Monitor and Evaluate Occurrences | Preventive | |
Monitor for changes to the organizational culture that have a cumulative effect on strategies. CC ID 12885 | Monitor and Evaluate Occurrences | Preventive | |
Monitor for changes to the organizational culture that have an indirect effect on strategies. CC ID 12884 | Monitor and Evaluate Occurrences | Preventive | |
Monitor for changes to the organizational culture that have an indirect effect on organizational objectives. CC ID 12883 | Monitor and Evaluate Occurrences | Preventive | |
Monitor for changes to the organizational culture that have a direct effect on strategies. CC ID 12882 | Monitor and Evaluate Occurrences | Preventive | |
Monitor for changes to the organizational culture that have a direct effect on organizational objectives. CC ID 12881 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [When defining the organizational values, the governing body should ensure that: corrective action can be taken. § 6.1.3.3 ¶ 1 e) To exercise effective oversight, the governing body should: take corrective action; § 6.4.3.1 ¶ 1 c) The governing body should oversee organizational performance by assessing and taking corrective action based on: § 6.4.3.2 ¶ 1 The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's identification of, and engagement with, relevant stakeholders (see 6.6); § 6.4.3.2 ¶ 1 e) The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i) For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Improvements should be applied as the result of feedback from reporting, disclosure and dialogue activities. § 6.5.3.2 ¶ 3 {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2 The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2 The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a) Recognize failures and mistakes and take appropriate action. Table 2 Column 2 Row 2 Bullet 5 The governing body should oversee organizational performance by assessing and taking corrective action based on: compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; § 6.4.3.2 ¶ 1 d) The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j) The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b) The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); § 6.4.3.2 ¶ 1 h) The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g) {be financially sound}The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's financial results and financial resources, ensuring that the organization remains financially sound; § 6.4.3.2 ¶ 1 f) {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Monitor and Evaluate Occurrences | Detective | |
Align corrective actions with the level of environmental impact. CC ID 15193 | Business Processes | Preventive | |
Include risks and opportunities in the corrective action plan. CC ID 15178 | Establish/Maintain Documentation | Preventive | |
Include environmental aspects in the corrective action plan. CC ID 15177 | Establish/Maintain Documentation | Preventive | |
Include the completion date in the corrective action plan. CC ID 13272 | Establish/Maintain Documentation | Preventive | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitor and Evaluate Occurrences | Detective | |
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: its assessment of the governance outcomes achieved. § 5 ¶ 7 Bullet 2 Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3 Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, risk management and compliance management as independent control functions; § 6.4.3.3 ¶ 2 Bullet 2] | Actionable Reports or Measurements | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a continuity framework. CC ID 00732 | Establish/Maintain Documentation | Preventive | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)] | Systems Continuity | Detective | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 | Establish/Maintain Documentation | Preventive | |
Restore systems and environments to be operational. CC ID 13476 [{environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Systems Continuity | Corrective | |
Include restoration procedures in the continuity plan. CC ID 01169 [The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: actively contribute to conserving and restoring these systems. § 6.11.3.1 ¶ 1 Bullet 2] | Establish Roles | Preventive | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Establish/Maintain Documentation | Preventive | |
Include the recovery plan in the continuity plan. CC ID 01377 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Communicate | Preventive | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a critical third party list. CC ID 06815 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g)] | Behavior | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b) {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2 Therefore, the governing body should: govern for organizational viability over time. § 6.11.3.1 ¶ 2 c)] | Establish/Maintain Documentation | Preventive | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)] | Behavior | Preventive | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Establish/Maintain Documentation | Preventive | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes and maintains adequate resourcing; § 6.9.3.2 ¶ 2 f)] | Acquisition/Sale of Assets or Services | Preventive | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 [Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving governance environment. § 4.3.2 ¶ 1 The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. § 6.3.3.1.2 ¶ 4 {individual} The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. § 6.3.3.1.2 ¶ 3 The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)] | Establish/Maintain Documentation | Preventive | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Process or Activity | Preventive | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)] | Process or Activity | Preventive | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Audits and Risk Management | Preventive | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 ["Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters. The governing body should ensure the clarity of roles and responsibilities of all involved and hold accountable those to whom they delegate. § 4.2.3 ¶ 1 Governance is exercised throughout the organization by governing groups, including: § 4.2.1 ¶ 1 Governance is exercised throughout the organization by governing groups, including: member stakeholders; § 4.2.1 ¶ 1 Bullet 1 Governance is exercised throughout the organization by governing groups, including: managers; § 4.2.1 ¶ 1 Bullet 3 Governance is exercised throughout the organization by governing groups, including: other internal functions of the organization. § 4.2.1 ¶ 1 Bullet 4 {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. Table 1 Column 4 Row 6 The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. § 6.3.3.1.2 ¶ 4 {individual} The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. § 6.3.3.1.2 ¶ 3 Accountable people can delegate to others. However, it should be made clear that those who delegate remain accountable for their delegate's use of that authority. § 4.2.2 ¶ 4 {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. § 6.5.1 ¶ 1 {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Human Resources Management | Preventive | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Human Resources Management | Preventive | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Establish/Maintain Documentation | Preventive | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 [{refrain from holding accountable}{do not}{individual} No one should be held accountable for matters over which they have no authority or for which expectations have not been stated or agreed. § 4.2.2 ¶ 3 Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: demonstrating accountability for this performance and behaviour. § 4.1 ¶ 3 e)] | Establish/Maintain Documentation | Preventive | |
Include the scope in the compliance policy. CC ID 14812 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Communicate | Preventive | |
Include management commitment in the compliance policy. CC ID 14808 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a governance policy. CC ID 15587 [The governing body should establish governance policies and ensure that these: § 6.3.3.1.2 ¶ 1 The governing body should ensure that the governance policies are effectively applied across the organization and that they achieve the governing body's intentions. § 6.3.3.1.2 ¶ 2 The governing body should ensure that the organizational risk framework, in respect to the management of risk: positions risk as a key consideration in the setting of governance policies (see 6.3); § 6.9.3.2 ¶ 2 c) The governing body should establish governance policies and ensure that these: are regularly reviewed, and updated as necessary, to ensure that they remain aligned with the organization's constituting documents, and the organization's changing context, and are based on relevant guidance and best practices such as standards and codes. § 6.3.3.1.2 ¶ 1 h) The governing body should establish governance policies and ensure that these: clarify the governing body's intentions and expectations with respect to the organizational purpose, organizational values and the organization's value generation objectives; § 6.3.3.1.2 ¶ 1 a) {internal context}The governing body should steer the organizational strategy by means of: governance policies, to ensure that they remain aligned with the organization's changing internal and external context and are current with common or best practice; § 6.3.3.2.2 ¶ 2 d) The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; § 6.8.3.4 ¶ 2 d)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)] | Communicate | Preventive | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 [The governing body should establish governance policies and ensure that these: address the governing body's own commitment to continual improvement; § 6.3.3.1.2 ¶ 1 g)] | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the governance policy. CC ID 15594 [The governing body should establish governance policies and ensure that these: provide guidance on what, rather than detailing how, responsibilities are to be fulfilled; § 6.3.3.1.2 ¶ 1 d) The governing body should establish governance policies and ensure that these: define the structures (e.g. committees) and roles involved in the governance of the organization, including their authority, responsibilities, performance and reporting requirements; § 6.3.3.1.2 ¶ 1 c) The governing body should establish governance policies and ensure that these: clarify delegations within the organization, including in relation to the strategy process; § 6.3.3.1.2 ¶ 1 b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 [The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. § 6.7.1 ¶ 1 Ethical and effective leadership should be demonstrated in three areas: § 6.7.3.1 ¶ 4 The governing body should demonstrate effective leadership across all areas. § 6.7.3.2 ¶ 1 The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. Table 1 Column 4 Row 8 In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2 Ethical leadership results in an organizational context and culture that: provides increased certainty, which in turn, creates reputational value. § 6.7.3.3 ¶ 3 Bullet 5 {be responsible}{be ethical} The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. § 6.8.3.1 ¶ 2 {be ethical}New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: data are used ethically; § 6.8.3.4 ¶ 1 Bullet 1 The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; § 6.9.3.2 ¶ 2 a) Ethical leadership results in an organizational context and culture that: assists in reconciling strategic dilemmas by creating organizational alignment through the integration of opposites; § 6.7.3.3 ¶ 3 Bullet 2 Ethical leadership results in an organizational context and culture that: provides the individuals of an organization with a collective sense of belonging; § 6.7.3.3 ¶ 3 Bullet 1] | Business Processes | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b) {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)] | Actionable Reports or Measurements | Corrective | |
Review the relevance of information supporting internal controls. CC ID 12420 | Business Processes | Detective | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Establish Roles | Preventive | |
Assign resources to implement the internal control framework. CC ID 00816 [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: required resources are available; § 4.2.2 ¶ 2 b) The governing body should steer the organizational strategy by means of: decision-making, specifically, the strategic deployment of resources. § 6.3.3.2.2 ¶ 2 j) {procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)] | Business Processes | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: § 6.8.3.2.2 ¶ 1] | Establish Roles | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)] | Business Processes | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Business Processes | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Establish/Maintain Documentation | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Establish/Maintain Documentation | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Configuration | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)] | Establish/Maintain Documentation | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Establish/Maintain Documentation | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Establish/Maintain Documentation | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Establish/Maintain Documentation | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Communicate | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Establish/Maintain Documentation | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Establish/Maintain Documentation | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Establish/Maintain Documentation | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Establish/Maintain Documentation | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Communicate | Preventive | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the implementation of a risk-based information security management system (ISMS); § 6.8.3.4 ¶ 2 b)] | Establish/Maintain Documentation | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Establish/Maintain Documentation | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Establish/Maintain Documentation | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Establish/Maintain Documentation | Preventive | |
Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
Include access control in the information security program. CC ID 12386 | Establish/Maintain Documentation | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Process or Activity | Detective | |
Include operations management in the information security program. CC ID 12385 | Establish/Maintain Documentation | Preventive | |
Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
Include physical security in the information security program. CC ID 12382 | Establish/Maintain Documentation | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Establish/Maintain Documentation | Preventive | |
Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
Provide management direction and support for the information security program. CC ID 11999 | Process or Activity | Preventive | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Establish/Maintain Documentation | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Process or Activity | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Human Resources Management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Establish/Maintain Documentation | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Human Resources Management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Communicate | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Establish/Maintain Documentation | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Establish/Maintain Documentation | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 [New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: sensitive data are protected and secured. § 6.8.3.4 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Establish/Maintain Documentation | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Establish/Maintain Documentation | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Establish/Maintain Documentation | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Establish/Maintain Documentation | Preventive | |
Include use limitations in the use of information agreement. CC ID 06244 | Establish/Maintain Documentation | Preventive | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
Include information recipients in the use of information agreement. CC ID 06245 | Establish/Maintain Documentation | Preventive | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Establish/Maintain Documentation | Preventive | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Establish/Maintain Documentation | Preventive | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Establish/Maintain Documentation | Preventive | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Establish/Maintain Documentation | Preventive | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Establish/Maintain Documentation | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [Table 1 describes the structure of the governance principles and lists the principles associated with each category. All principles should be applied, and applied concurrently. § 5 ¶ 3 Governing bodies should ensure that they realize the described governance outcomes through intentionally implementing the practices. § 5 ¶ 6] | Business Processes | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: limits of the decision-making authority are applied based on the associated level of risk, in particular where automated decision-making is used; § 6.8.3.2.2 ¶ 1 b) Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. § 4.2.2 ¶ 5] | Process or Activity | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: set the tone for the organization with respect to how the management of risk is to be approached; § 6.9.3.1 ¶ 2 a) To ensure that the organization is acting in a socially responsible way, the governing body should: assess how actions of individual members of the governing body influence social responsibility. § 6.10.3 ¶ 1 i) In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2 Set the tone for the organization by behaving in the manner in which the organization and its personnel are expected to behave. Table 2 Column 2 Row 2 Bullet 4 The governing body should steer the organizational strategy by means of: the organizational culture, including the cultural tone the governing body sets through its ethos; § 6.3.3.2.2 ¶ 2 a)] | Process or Activity | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 [Ethical and effective leadership should be demonstrated in three areas: the functioning of the governing body; § 6.7.3.1 ¶ 4 a) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: pay attention to the dynamics of the governing body, including, for example, undue reliance on any one member for decision-making; § 6.8.3.2.1 ¶ 1 e) The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)] | Process or Activity | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 [The governing body should: assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; § 4.3.2 ¶ 2 d)] | Process or Activity | Preventive | |
Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Process or Activity | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 [Ethical and effective leadership is demonstrated when the governing body: behaves in a manner consistent with the defined organizational values; § 6.7.3.1 ¶ 3 Bullet 2 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a) Within the governing body: The members of the governing body should demonstrate that they are behaving in a manner consistent with the organizational values. § 6.7.3.3 ¶ 1 a) The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a)] | Process or Activity | Detective | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; § 6.5.3.2 ¶ 1 b) 2) When defining the organizational values, the governing body should ensure that: the governing body itself understands the consequences of unethical behaviour including bribery, fraud and corruption; § 6.1.3.3 ¶ 1 d) {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Process or Activity | Corrective | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: meet compliance obligations; § 6.5.3.2 ¶ 1 d) Effective performance — The organization: remains in alignment with its policies and relevant stakeholder expectations. § 5 ¶ 2 a) 4)] | Establish/Maintain Documentation | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 [In doing so, the governing body provides indications of the organization's governance maturity, among other insights. § 5 ¶ 8 To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: § 6.4.3.3 ¶ 1 To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. § 6.4.3.3 ¶ 1 g)] | Communicate | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [{individual}{hold accountable} The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. § 6.5.3.1 ¶ 1 To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: § 6.5.3.2 ¶ 1 b) Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: § 5 ¶ 7] | Behavior | Preventive | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 [Responsible stewardship — The organization: makes use of resources in a responsible manner; § 5 ¶ 2 b) 1) {procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)] | Business Processes | Preventive | |
Establish, implement, and maintain an asset management policy. CC ID 15219 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the asset management policy. CC ID 16424 | Business Processes | Preventive | |
Establish, implement, and maintain asset management procedures. CC ID 16748 | Establish/Maintain Documentation | Preventive | |
Assign an information owner to organizational assets, as necessary. CC ID 12729 | Human Resources Management | Preventive | |
Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Business Processes | Preventive | |
Include life cycle requirements in the security management program. CC ID 16392 | Establish/Maintain Documentation | Preventive | |
Include program objectives in the asset management program. CC ID 14413 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement in the asset management program. CC ID 14412 | Establish/Maintain Documentation | Preventive | |
Include compliance with applicable requirements in the asset management program. CC ID 14411 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Business Processes | Preventive | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
Apply security controls to each level of the information classification standard. CC ID 01903 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Establish/Maintain Documentation | Preventive | |
Define confidentiality controls. CC ID 01908 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the systems' availability level. CC ID 01905 | Establish/Maintain Documentation | Preventive | |
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Process or Activity | Preventive | |
Define integrity controls. CC ID 01909 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Establish/Maintain Documentation | Preventive | |
Define availability controls. CC ID 01911 | Establish/Maintain Documentation | Preventive | |
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Communicate | Preventive | |
Classify assets according to the Asset Classification Policy. CC ID 07186 | Establish Roles | Preventive | |
Classify virtual systems by type and purpose. CC ID 16332 | Business Processes | Preventive | |
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Establish/Maintain Documentation | Preventive | |
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Establish Roles | Preventive | |
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Configuration | Preventive | |
Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an asset inventory. CC ID 06631 | Business Processes | Preventive | |
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Establish/Maintain Documentation | Preventive | |
Include all account types in the Information Technology inventory. CC ID 13311 | Establish/Maintain Documentation | Preventive | |
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Systems Design, Build, and Implementation | Preventive | |
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Data and Information Management | Preventive | |
Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Establish/Maintain Documentation | Preventive | |
Categorize all major applications according to the business information they process. CC ID 07182 | Establish/Maintain Documentation | Preventive | |
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Establish/Maintain Documentation | Preventive | |
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Establish/Maintain Documentation | Preventive | |
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Establish/Maintain Documentation | Preventive | |
Conduct environmental surveys. CC ID 00690 | Physical and Environmental Protection | Preventive | |
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Establish/Maintain Documentation | Preventive | |
Include network equipment in the Information Technology inventory. CC ID 00693 | Establish/Maintain Documentation | Preventive | |
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Establish/Maintain Documentation | Preventive | |
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Process or Activity | Preventive | |
Include software in the Information Technology inventory. CC ID 00692 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a storage media inventory. CC ID 00694 | Establish/Maintain Documentation | Preventive | |
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Establish/Maintain Documentation | Preventive | |
Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Establish/Maintain Documentation | Preventive | |
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Monitor and Evaluate Occurrences | Corrective | |
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Monitor and Evaluate Occurrences | Corrective | |
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Establish/Maintain Documentation | Preventive | |
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Technical Security | Preventive | |
Link the authentication system to the asset inventory. CC ID 13718 | Technical Security | Preventive | |
Record a unique name for each asset in the asset inventory. CC ID 16305 | Data and Information Management | Preventive | |
Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Establish/Maintain Documentation | Preventive | |
Record the status of information systems in the asset inventory. CC ID 16304 | Data and Information Management | Preventive | |
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Data and Information Management | Preventive | |
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Establish/Maintain Documentation | Preventive | |
Include source code in the asset inventory. CC ID 14858 | Records Management | Preventive | |
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Human Resources Management | Preventive | |
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Technical Security | Detective | |
Record the review date for applicable assets in the asset inventory. CC ID 14919 | Establish/Maintain Documentation | Preventive | |
Record software license information for each asset in the asset inventory. CC ID 11736 | Data and Information Management | Preventive | |
Record services for applicable assets in the asset inventory. CC ID 13733 | Establish/Maintain Documentation | Preventive | |
Record protocols for applicable assets in the asset inventory. CC ID 13734 | Establish/Maintain Documentation | Preventive | |
Record the software version in the asset inventory. CC ID 12196 | Establish/Maintain Documentation | Preventive | |
Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Establish/Maintain Documentation | Preventive | |
Record the authentication system in the asset inventory. CC ID 13724 | Establish/Maintain Documentation | Preventive | |
Tag unsupported assets in the asset inventory. CC ID 13723 | Establish/Maintain Documentation | Preventive | |
Record the install date for applicable assets in the asset inventory. CC ID 13720 | Establish/Maintain Documentation | Preventive | |
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Establish/Maintain Documentation | Preventive | |
Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Establish/Maintain Documentation | Preventive | |
Record the host name of applicable assets in the asset inventory. CC ID 13722 | Establish/Maintain Documentation | Preventive | |
Record network ports for applicable assets in the asset inventory. CC ID 13730 | Establish/Maintain Documentation | Preventive | |
Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Establish/Maintain Documentation | Preventive | |
Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Data and Information Management | Preventive | |
Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Establish/Maintain Documentation | Preventive | |
Record rooms at external locations in the asset inventory. CC ID 16302 | Data and Information Management | Preventive | |
Record the department associated with the asset in the asset inventory. CC ID 12084 | Establish/Maintain Documentation | Preventive | |
Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Establish/Maintain Documentation | Preventive | |
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Establish/Maintain Documentation | Preventive | |
Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Establish/Maintain Documentation | Preventive | |
Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Establish/Maintain Documentation | Preventive | |
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Establish/Maintain Documentation | Preventive | |
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Establish/Maintain Documentation | Preventive | |
Record trusted keys and certificates in the asset inventory. CC ID 15486 | Data and Information Management | Preventive | |
Record cipher suites and protocols in the asset inventory. CC ID 15489 | Data and Information Management | Preventive | |
Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Establish/Maintain Documentation | Preventive | |
Record the owner for applicable assets in the asset inventory. CC ID 06640 | Establish/Maintain Documentation | Preventive | |
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Establish/Maintain Documentation | Preventive | |
Record all changes to assets in the asset inventory. CC ID 12190 | Establish/Maintain Documentation | Preventive | |
Record cloud service derived data in the asset inventory. CC ID 13007 | Establish/Maintain Documentation | Preventive | |
Include cloud service customer data in the asset inventory. CC ID 13006 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a software accountability policy. CC ID 00868 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software asset management procedures. CC ID 00895 | Establish/Maintain Documentation | Preventive | |
Prevent users from disabling required software. CC ID 16417 | Technical Security | Preventive | |
Establish, implement, and maintain software archives procedures. CC ID 00866 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software distribution procedures. CC ID 00894 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software license management procedures. CC ID 06639 | Establish/Maintain Documentation | Preventive | |
Automate software license monitoring, as necessary. CC ID 07057 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system redeployment program. CC ID 06276 | Establish/Maintain Documentation | Preventive | |
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Testing | Detective | |
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Behavior | Preventive | |
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Data and Information Management | Preventive | |
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Acquisition/Sale of Assets or Services | Preventive | |
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Establish/Maintain Documentation | Preventive | |
Redeploy systems to other organizational units, as necessary. CC ID 11452 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system disposal program. CC ID 14431 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain disposal procedures. CC ID 16513 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Establish/Maintain Documentation | Preventive | |
Destroy systems in accordance with the system disposal program. CC ID 16457 | Business Processes | Preventive | |
Approve the release of systems and waste material into the public domain. CC ID 16461 | Business Processes | Preventive | |
Establish, implement, and maintain system destruction procedures. CC ID 16474 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: actively contribute to conserving and restoring these systems. § 6.11.3.1 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Establish and maintain maintenance reports. CC ID 11749 | Establish/Maintain Documentation | Preventive | |
Establish and maintain system inspection reports. CC ID 06346 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the system maintenance policy. CC ID 14217 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the system maintenance policy. CC ID 14216 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Establish/Maintain Documentation | Preventive | |
Include the scope in the system maintenance policy. CC ID 14214 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Communicate | Preventive | |
Include the purpose in the system maintenance policy. CC ID 14187 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Communicate | Preventive | |
Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Establish/Maintain Documentation | Preventive | |
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Physical and Environmental Protection | Preventive | |
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Behavior | Preventive | |
Use system components only when third party support is available. CC ID 10644 | Maintenance | Preventive | |
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Maintenance | Preventive | |
Control and monitor all maintenance tools. CC ID 01432 | Physical and Environmental Protection | Detective | |
Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Business Processes | Preventive | |
Control remote maintenance according to the system's asset classification. CC ID 01433 | Technical Security | Preventive | |
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Configuration | Preventive | |
Approve all remote maintenance sessions. CC ID 10615 | Technical Security | Preventive | |
Log the performance of all remote maintenance. CC ID 13202 | Log Management | Preventive | |
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Technical Security | Preventive | |
Conduct offsite maintenance in authorized facilities. CC ID 16473 | Maintenance | Preventive | |
Conduct maintenance with authorized personnel. CC ID 01434 | Testing | Detective | |
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Maintenance | Preventive | |
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Maintenance | Preventive | |
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Behavior | Preventive | |
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Establish/Maintain Documentation | Preventive | |
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Acquisition/Sale of Assets or Services | Preventive | |
Perform periodic maintenance according to organizational standards. CC ID 01435 | Behavior | Preventive | |
Restart systems on a periodic basis. CC ID 16498 | Maintenance | Preventive | |
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Maintenance | Preventive | |
Employ dedicated systems during system maintenance. CC ID 12108 | Technical Security | Preventive | |
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Technical Security | Preventive | |
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Human Resources Management | Preventive | |
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Physical and Environmental Protection | Preventive | |
Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Testing | Detective | |
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Establish/Maintain Documentation | Preventive | |
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Process or Activity | Preventive | |
Refrain from protecting physical assets when no longer required. CC ID 13484 | Physical and Environmental Protection | Corrective | |
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Business Processes | Preventive | |
Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Establish/Maintain Documentation | Preventive | |
Dispose of hardware and software at their life cycle end. CC ID 06278 | Business Processes | Preventive | |
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Business Processes | Preventive | |
Establish, implement, and maintain disposal contracts. CC ID 12199 | Establish/Maintain Documentation | Preventive | |
Include disposal procedures in disposal contracts. CC ID 13905 | Establish/Maintain Documentation | Preventive | |
Remove asset tags prior to disposal of an asset. CC ID 12198 | Business Processes | Preventive | |
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Establish/Maintain Documentation | Preventive | |
Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Testing | Detective | |
Review each system's operational readiness. CC ID 06275 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Establish/Maintain Documentation | Preventive | |
Establish and maintain an unauthorized software list. CC ID 10601 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Establish/Maintain Documentation | Preventive | |
Analyze the incident response process following an incident response. CC ID 13179 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)] | Investigate | Detective | |
Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Establish/Maintain Documentation | Preventive | |
Update the incident response procedures using the lessons learned. CC ID 01233 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a performance management standard. CC ID 01615 [The governing body should oversee the organization's performance to ensure that it meets the governing body's intentions for, and expectations of, the organization, its ethical behaviour and its compliance obligations. § 6.4.1 ¶ 1 Ethical and effective leadership should be demonstrated in three areas: the performance of the organization as a whole; § 6.7.3.1 ¶ 4 b) The governing body should oversee the organization's performance to ensure that it meets the governing body's intentions for, and expectations of, the organization, its ethical behaviour and its compliance obligations. Table 1 Column 4 Row 5 Effective performance — The organization: performs as required; § 5 ¶ 2 a) 2)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain future system performance forecasting methods. CC ID 11775 | Business Processes | Preventive | |
Use proactive performance management. CC ID 00937 | Business Processes | Detective | |
Utilize resource availability management controls. CC ID 00940 | Business Processes | Detective | |
Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679 | Establish/Maintain Documentation | Preventive | |
Follow the maintenance schedule. CC ID 11791 | Maintenance | Preventive | |
Establish, implement, and maintain rate limiting filters. CC ID 06883 | Business Processes | Preventive | |
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a cost management program. CC ID 13638 | Establish/Maintain Documentation | Preventive | |
Identify and allocate departmental costs. CC ID 00871 | Business Processes | Detective | |
Justify the system's cost and benefit. CC ID 00874 [Issues of particular concern to a governing body are where the organization benefits but where the costs for that benefit are incurred by another party. These are sometimes referred to as "negative externalities" or "unpriced impacts" and can be both financial or non-financial in nature. In such cases, the governing body should account for these benefits. § 6.10.3 ¶ 2] | Business Processes | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data access procedures. CC ID 00414 [The governing body should: ensure that all relevant stakeholders are able to access the reports and disclosures, as far as is reasonable, and are therefore suitably equipped with the information necessary to make informed assessments of the organization's past performance, current performance and performance over time. § 6.5.3.2 ¶ 2 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Allow data subjects to submit data requests. CC ID 16545 | Process or Activity | Preventive | |
Provide individuals with information about where their personal data was processed. CC ID 00415 | Data and Information Management | Preventive | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Data and Information Management | Preventive | |
Provide individuals with information about disclosure of their personal data. CC ID 00417 | Data and Information Management | Preventive | |
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
Provide assistance to requesters in preparing data access requests. CC ID 13588 | Data and Information Management | Preventive | |
Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Establish/Maintain Documentation | Preventive | |
Define what is to be included in a data access request. CC ID 08699 | Establish/Maintain Documentation | Preventive | |
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Business Processes | Preventive | |
Respond to data access requests in a timely manner. CC ID 00421 | Behavior | Preventive | |
Delay responding to data access requests, as necessary. CC ID 15504 | Data and Information Management | Preventive | |
Expedite the processing of data access requests, as necessary. CC ID 15496 | Data and Information Management | Preventive | |
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Behavior | Detective | |
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Behavior | Detective | |
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Business Processes | Preventive | |
Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Process or Activity | Preventive | |
Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Establish/Maintain Documentation | Preventive | |
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Data and Information Management | Preventive | |
Document the outcome of the personal data access request review procedure. CC ID 00455 | Data and Information Management | Preventive | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Establish/Maintain Documentation | Preventive | |
Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
Notify third parties of data access requests that relates to the third party. CC ID 08703 | Establish/Maintain Documentation | Preventive | |
Allow affected third parties to consent or object to a data access request. CC ID 08704 | Process or Activity | Preventive | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Establish/Maintain Documentation | Preventive | |
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Data and Information Management | Preventive | |
Refrain from collecting personal data, as necessary. CC ID 15269 | Data and Information Management | Preventive | |
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Business Processes | Detective | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
Use personal data for specified purposes. CC ID 11831 | Data and Information Management | Preventive | |
Post the collection purpose. CC ID 00101 | Establish/Maintain Documentation | Preventive | |
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Data and Information Management | Preventive | |
Document each individual's personal data collection consent preferences. CC ID 06945 | Establish/Maintain Documentation | Preventive | |
Provide explicit consent that is clear and unambiguous. CC ID 00181 | Data and Information Management | Preventive | |
Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Data and Information Management | Preventive | |
Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Data and Information Management | Preventive | |
Notify the data subject of the source of collected personal data. CC ID 00083 | Behavior | Preventive | |
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Data and Information Management | Preventive | |
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Data and Information Management | Preventive | |
Establish and maintain a personal data definition. CC ID 00028 | Establish/Maintain Documentation | Preventive | |
Include an individual's name in the personal data definition. CC ID 04710 | Data and Information Management | Preventive | |
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Data and Information Management | Preventive | |
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Data and Information Management | Preventive | |
Include an individual's signature in the personal data definition. CC ID 04711 | Data and Information Management | Preventive | |
Include an individual's date of birth in the personal data definition. CC ID 04770 | Data and Information Management | Preventive | |
Include the number of children in the personal data definition. CC ID 13759 | Establish/Maintain Documentation | Preventive | |
Include the individual's religion in the personal data definition. CC ID 13765 | Establish/Maintain Documentation | Preventive | |
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Data and Information Management | Preventive | |
Include an individual's biometric data in the personal data definition. CC ID 04698 | Data and Information Management | Preventive | |
Include an individual's photographic image in the personal data definition. CC ID 04779 | Data and Information Management | Preventive | |
Include an individual's fingerprints in the personal data definition. CC ID 04689 | Data and Information Management | Preventive | |
Include an individual's address in the personal data definition. CC ID 04687 | Data and Information Management | Preventive | |
Include an individual's telephone number in the personal data definition. CC ID 04688 | Data and Information Management | Preventive | |
Include an individual's fax number in the personal data definition. CC ID 07120 | Data and Information Management | Preventive | |
Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Establish/Maintain Documentation | Preventive | |
Include an individual's license plate number in the personal data definition. CC ID 13763 | Establish/Maintain Documentation | Preventive | |
Include an individual's financial account number in the personal data definition. CC ID 04692 | Data and Information Management | Preventive | |
Include an individual's account balances in the personal data definition. CC ID 13770 | Establish/Maintain Documentation | Preventive | |
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Data and Information Management | Preventive | |
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Data and Information Management | Preventive | |
Include an individual's logon credentials in the personal data definition. CC ID 13771 | Establish/Maintain Documentation | Preventive | |
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Data and Information Management | Preventive | |
Include an individual's passport number in the personal data definition. CC ID 04713 | Data and Information Management | Preventive | |
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Data and Information Management | Preventive | |
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Data and Information Management | Preventive | |
Include an individual's military identification number in the personal data definition. CC ID 13083 | Establish/Maintain Documentation | Preventive | |
Include an individual's e-mail address in the personal data definition. CC ID 04696 | Data and Information Management | Preventive | |
Include electronic signatures in the personal data definition. CC ID 04697 | Data and Information Management | Preventive | |
Include an individual's payment card information in the personal data definition. CC ID 04751 | Data and Information Management | Preventive | |
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Data and Information Management | Preventive | |
Include an individual's payment card service code in the personal data definition. CC ID 04753 | Data and Information Management | Preventive | |
Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Data and Information Management | Preventive | |
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Data and Information Management | Preventive | |
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Data and Information Management | Preventive | |
Include an individual's medical history in the personal data definition. CC ID 04701 | Data and Information Management | Preventive | |
Include an individual's medical treatment in the personal data definition. CC ID 04702 | Data and Information Management | Preventive | |
Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Data and Information Management | Preventive | |
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Data and Information Management | Preventive | |
Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Data and Information Management | Preventive | |
Include an individual's health insurance information in the personal data definition. CC ID 04705 | Data and Information Management | Preventive | |
Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Data and Information Management | Preventive | |
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Data and Information Management | Preventive | |
Include an individual's education information in the personal data definition. CC ID 04714 | Data and Information Management | Preventive | |
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Data and Information Management | Preventive | |
Include an individual's employment information in the personal data definition. CC ID 04715 | Data and Information Management | Preventive | |
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Data and Information Management | Preventive | |
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Data and Information Management | Preventive | |
Include an individual's employment history in the personal data definition. CC ID 04716 | Data and Information Management | Preventive | |
Include an individual's place of employment in the personal data definition. CC ID 04765 | Data and Information Management | Preventive | |
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Data and Information Management | Preventive | |
Include an individual's property information in the personal data definition. CC ID 04780 | Data and Information Management | Preventive | |
Include an individual's property title in the personal data definition. CC ID 04781 | Data and Information Management | Preventive | |
Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Data and Information Management | Preventive | |
Include hardware asset identification information in the personal data definition. CC ID 07123 | Data and Information Management | Preventive | |
Include MAC addresses in the personal data definition. CC ID 04778 | Data and Information Management | Preventive | |
Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Data and Information Management | Preventive | |
Include asset serial numbers in the personal data definition. CC ID 07124 | Data and Information Management | Preventive | |
Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Data and Information Management | Preventive | |
Refrain from including publicly available information in the personal data definition. CC ID 13084 | Establish/Maintain Documentation | Preventive | |
Define specially restricted data. CC ID 00037 | Data and Information Management | Preventive | |
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Data and Information Management | Preventive | |
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Data and Information Management | Preventive | |
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Data and Information Management | Preventive | |
Implement a nondiscrimination principle. CC ID 00081 | Data and Information Management | Preventive | |
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Data and Information Management | Preventive | |
Preserve each individual's right to human dignity. CC ID 00082 | Data and Information Management | Preventive | |
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Data and Information Management | Preventive | |
Employ a random number generator to create authenticators. CC ID 13782 | Technical Security | Preventive | |
Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Data and Information Management | Preventive | |
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Data and Information Management | Preventive | |
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Data and Information Management | Preventive | |
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Data and Information Management | Preventive | |
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Behavior | Preventive | |
Manage health data collection. CC ID 00050 | Data and Information Management | Preventive | |
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Data and Information Management | Preventive | |
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Data and Information Management | Preventive | |
Collect Individually Identifiable Health Information for research. CC ID 00054 | Data and Information Management | Preventive | |
Remove personal data before disclosing health data. CC ID 00055 | Data and Information Management | Preventive | |
Give special attention to collecting children's data. CC ID 00038 | Data and Information Management | Preventive | |
Use simple understandable language to collect information from children. CC ID 00039 | Behavior | Preventive | |
Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Establish/Maintain Documentation | Preventive | |
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Data and Information Management | Preventive | |
Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Establish/Maintain Documentation | Preventive | |
Collect personal data directly from the data subject. CC ID 00011 | Data and Information Management | Preventive | |
Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Data and Information Management | Preventive | |
Provide unlinkability for users and resources. CC ID 04550 | Data and Information Management | Preventive | |
Provide unobservability of users and resources. CC ID 04551 | Technical Security | Preventive | |
Confirm the data quality of personal data collected from third parties. CC ID 13510 | Investigate | Detective | |
Collect restricted data in a fair and lawful manner. CC ID 00010 | Data and Information Management | Preventive | |
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Data and Information Management | Preventive | |
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Data and Information Management | Preventive | |
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Data and Information Management | Preventive | |
Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Data and Information Management | Preventive | |
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Data and Information Management | Preventive | |
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Data and Information Management | Preventive | |
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Data and Information Management | Preventive | |
Collect personal data absent consent for handling insurance claims. CC ID 13543 | Data and Information Management | Preventive | |
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Data and Information Management | Preventive | |
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Data and Information Management | Preventive | |
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Data and Information Management | Preventive | |
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Data and Information Management | Preventive | |
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Data and Information Management | Preventive | |
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Data and Information Management | Preventive | |
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Data and Information Management | Preventive | |
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Data and Information Management | Preventive | |
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Data and Information Management | Preventive | |
Collect restricted data absent consent from publicly available information. CC ID 00019 | Data and Information Management | Preventive | |
Collect restricted data absent consent when needed by law. CC ID 00020 | Data and Information Management | Preventive | |
Collect personal data absent consent to create a credit report. CC ID 15287 | Data and Information Management | Preventive | |
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Data and Information Management | Preventive | |
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Data and Information Management | Preventive | |
Collect the minimum amount of restricted data necessary. CC ID 00078 | Data and Information Management | Preventive | |
Collect restricted data in a proper information framework. CC ID 00009 | Data and Information Management | Preventive | |
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Data and Information Management | Preventive | |
Collect restricted data when required by law. CC ID 00031 | Data and Information Management | Preventive | |
Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Data and Information Management | Preventive | |
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Data and Information Management | Preventive | |
Collect restricted data for legal purposes. CC ID 00036 | Data and Information Management | Preventive | |
Review the methods for collecting personal data, as necessary. CC ID 13511 | Investigate | Detective | |
Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Communicate | Preventive | |
Provide the data subject with the data collector's name and contact information. CC ID 00024 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{be within}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: are transparent but also within the limits of confidentiality; § 6.5.3.2 ¶ 1 f)] | Establish/Maintain Documentation | Preventive | |
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
Implement security measures to protect personal data. CC ID 13606 | Technical Security | Preventive | |
Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
Limit data leakage. CC ID 00356 | Data and Information Management | Preventive | |
Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
Search the Internet for evidence of data leakage. CC ID 10419 | Process or Activity | Detective | |
Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 [The recognition that data can be a strategic asset (or liability) means that the governing body should: communicate the nature and extent of the organization's use of data as a demonstration of accountability for this resource. § 6.8.3.3 ¶ 1 e)] | Communicate | Preventive | |
Establish, implement, and maintain data handling procedures. CC ID 11756 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1] | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a data profiling program. CC ID 13992 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: effective data analytics are employed to correctly assess risk and risk interactions; § 6.9.3.4 ¶ 1 f)] | Data and Information Management | Preventive | |
Establish, implement, and maintain an information management program. CC ID 14315 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)] | Establish/Maintain Documentation | Preventive | |
Ensure data sets have the appropriate characteristics. CC ID 15000 | Data and Information Management | Detective | |
Ensure data sets are complete, are accurate, and are relevant. CC ID 14999 | Data and Information Management | Detective | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data accuracy controls. CC ID 00921 [To exercise effective oversight, the governing body should: assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. § 6.4.3.1 ¶ 1 d) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)] | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain data completeness controls. CC ID 11649 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)] | Process or Activity | Preventive | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)] | Establish Roles | Preventive | |
Compare each record's data input to its final form. CC ID 11813 | Records Management | Detective | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Data and Information Management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Establish/Maintain Documentation | Preventive | |
Establish and maintain access controls for all records. CC ID 00371 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)] | Records Management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
Control access rights to organizational assets. CC ID 00004 [{procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)] | Technical Security | Preventive | |
Configure access control lists in accordance with organizational standards. CC ID 16465 | Configuration | Preventive | |
Add all devices requiring access control to the Access Control List. CC ID 06264 | Establish/Maintain Documentation | Preventive | |
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical Security | Preventive | |
Disallow application IDs from running as privileged users. CC ID 10050 | Configuration | Detective | |
Define roles for information systems. CC ID 12454 | Human Resources Management | Preventive | |
Define access needs for each role assigned to an information system. CC ID 12455 | Human Resources Management | Preventive | |
Define access needs for each system component of an information system. CC ID 12456 | Technical Security | Preventive | |
Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical Security | Preventive | |
Establish access rights based on least privilege. CC ID 01411 | Technical Security | Preventive | |
Assign user permissions based on job responsibilities. CC ID 00538 | Technical Security | Preventive | |
Assign user privileges after they have management sign off. CC ID 00542 | Technical Security | Preventive | |
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Configuration | Preventive | |
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical Security | Preventive | |
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical Security | Preventive | |
Establish, implement, and maintain session lock capabilities. CC ID 01417 | Configuration | Preventive | |
Limit concurrent sessions according to account type. CC ID 01416 | Configuration | Preventive | |
Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical Security | Preventive | |
Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Configuration | Preventive | |
Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Configuration | Preventive | |
Configure the "tlscert" argument to organizational standards. CC ID 14520 | Configuration | Preventive | |
Configure the "tlskey" argument to organizational standards. CC ID 14519 | Configuration | Preventive | |
Enable access control for objects and users on each system. CC ID 04553 | Configuration | Preventive | |
Include all system components in the access control system. CC ID 11939 | Technical Security | Preventive | |
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Process or Activity | Preventive | |
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical Security | Preventive | |
Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical Security | Preventive | |
Include the objects and users subject to access control in the security policy. CC ID 11836 | Establish/Maintain Documentation | Preventive | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
Enforce access restrictions for change control. CC ID 01428 | Technical Security | Preventive | |
Enforce access restrictions for restricted data. CC ID 01921 | Data and Information Management | Preventive | |
Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical Security | Preventive | |
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Testing | Detective | |
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical Security | Preventive | |
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Establish/Maintain Documentation | Preventive | |
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Establish/Maintain Documentation | Preventive | |
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical Security | Preventive | |
Display previous logon information in the logon banner. CC ID 01415 | Configuration | Preventive | |
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Establish/Maintain Documentation | Preventive | |
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical Security | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 | Establish/Maintain Documentation | Preventive | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)] | Establish/Maintain Documentation | Detective |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Preventive | |
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective | |
Refrain from using gifted mobile devices. CC ID 16460 | Human Resources management | Preventive | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes and maintains adequate resourcing; § 6.9.3.2 ¶ 2 f)] | Operational management | Preventive | |
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Operational management | Preventive | |
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Preventive | |
Process product return requests. CC ID 11598 | Acquisition or sale of facilities, technology, and services | Corrective | |
Refrain from returning products absent a return request authorization. CC ID 11599 | Acquisition or sale of facilities, technology, and services | Corrective | |
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 [{be appropriate}When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: outputs, outcomes and the processes to achieve the responsibilities are periodically reported and presented with evidence that actions taken are reasonable and appropriate; § 4.2.2 ¶ 2 d) The governing body should: report on the process and outcomes of assessments to relevant stakeholders (see 6.5.3). § 4.3.2 ¶ 2 e) Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: accountability through accurate and timely reporting on its performance and stewardship of resources; § 5 ¶ 2 c) 2) Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: accountability through accurate and timely reporting on its performance and stewardship of resources; § 5 ¶ 2 c) 2) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: § 6.5.3.2 ¶ 1 c) The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Leadership and high level objectives | Preventive | |
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 | Leadership and high level objectives | Preventive | |
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Leadership and high level objectives | Preventive | |
Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Leadership and high level objectives | Preventive | |
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Leadership and high level objectives | Preventive | |
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Detective | |
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Detective | |
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Detective | |
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Detective | |
Report on the policies and controls that have been implemented by management. CC ID 01670 | Monitoring and measurement | Detective | |
Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Detective | |
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Detective | |
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Detective | |
Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Preventive | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Detective | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Detective | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Detective | |
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Detective | |
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Detective | |
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Detective | |
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Detective | |
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Detective | |
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Detective | |
Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Preventive | |
Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Preventive | |
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Preventive | |
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Detective | |
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Detective | |
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Detective | |
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Detective | |
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Detective | |
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Detective | |
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Detective | |
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Detective | |
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Detective | |
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Detective | |
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Detective | |
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Detective | |
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Detective | |
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Detective | |
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Detective | |
Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Detective | |
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Detective | |
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Detective | |
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Detective | |
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Detective | |
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Detective | |
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Detective | |
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Detective | |
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Detective | |
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Detective | |
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Detective | |
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Detective | |
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Detective | |
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Detective | |
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Detective | |
Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Detective | |
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Preventive | |
Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Detective | |
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Detective | |
Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Detective | |
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Detective | |
Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Detective | |
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Detective | |
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Detective | |
Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Preventive | |
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Detective | |
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Detective | |
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Detective | |
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Detective | |
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Detective | |
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Detective | |
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Detective | |
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Detective | |
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Detective | |
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Detective | |
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Detective | |
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Detective | |
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Detective | |
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Detective | |
Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Detective | |
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Detective | |
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Detective | |
Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Detective | |
Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Detective | |
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Detective | |
Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Detective | |
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Detective | |
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Detective | |
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Detective | |
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Detective | |
Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Detective | |
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Detective | |
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Detective | |
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Detective | |
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Detective | |
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Detective | |
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Detective | |
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Detective | |
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Detective | |
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Preventive | |
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Preventive | |
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Preventive | |
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Preventive | |
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Preventive | |
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Preventive | |
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Preventive | |
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Preventive | |
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Preventive | |
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Preventive | |
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: its assessment of the governance outcomes achieved. § 5 ¶ 7 Bullet 2 Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3 Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, risk management and compliance management as independent control functions; § 6.4.3.3 ¶ 2 Bullet 2] | Monitoring and measurement | Corrective | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Preventive | |
Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Preventive | |
Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Preventive | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Preventive | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Preventive | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Preventive | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Corrective | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Detective | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)] | Operational management | Corrective | |
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 | Acquisition or sale of facilities, technology, and services | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Preventive | |
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 | Monitoring and measurement | Preventive | |
Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Preventive | |
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Preventive | |
Manage supply chain audits. CC ID 01203 | Audits and risk management | Preventive | |
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Preventive | |
Rotate auditors, as necessary. CC ID 15589 [Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. § 6.4.3.3 ¶ 3] | Audits and risk management | Preventive | |
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and risk management | Preventive | |
Review the external audit scope, as necessary. CC ID 01202 | Audits and risk management | Preventive | |
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and risk management | Detective | |
Review the external auditor's qualifications. CC ID 01197 | Audits and risk management | Preventive | |
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and risk management | Preventive | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Preventive | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Detective | |
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and risk management | Preventive | |
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Preventive | |
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Preventive | |
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Preventive | |
Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Preventive | |
Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Preventive | |
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Preventive | |
Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Preventive | |
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Preventive | |
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Detective | |
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Preventive | |
Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Detective | |
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Preventive | |
Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Preventive | |
Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Preventive | |
Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Preventive | |
Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Preventive | |
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and risk management | Preventive | |
Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Detective | |
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Preventive | |
Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Preventive | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Preventive | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Detective | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Detective | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Preventive | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Preventive | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Preventive | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Preventive | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Preventive | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Preventive | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Detective | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Preventive | |
Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Detective | |
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 | Audits and risk management | Preventive | |
Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Corrective | |
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Preventive | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Preventive | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Preventive | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Preventive | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Detective | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Preventive | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Preventive | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Detective | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Detective | |
Review management's response to issues raised in past audit reports. CC ID 01149 | Audits and risk management | Detective | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Detective | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Preventive | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Preventive | |
Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Detective | |
Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Detective | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Detective | |
Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Preventive | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. § 6.9.1 ¶ 1 The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. Table 1 Column 4 Row 10 The governing body should oversee the organization's management of risk (see 6.4), ensuring that: a holistic view is taken by the organization, including consideration of all relevant types of risk; § 6.9.3.4 ¶ 1 a) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's risk landscape; § 6.3.3.1.1 ¶ 2 c)] | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Preventive | |
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Preventive | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Preventive | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Preventive | |
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Preventive | |
Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Preventive | |
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Preventive | |
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Preventive | |
Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Preventive | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Preventive | |
Conduct a Business Impact Analysis, as necessary. CC ID 01147 | Audits and risk management | Detective | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 | Audits and risk management | Preventive | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Preventive | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Preventive | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [{be dependent}{environmental system}{social system}The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: directly dependent; § 6.11.3.4 ¶ 1 Bullet 1 {be independent}{environmental system}{social system}The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: not directly dependent but whose ability to be sustained will be affected by the governing body's decisions. § 6.11.3.4 ¶ 1 Bullet 2] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b) {be responsible}{be accurate}The governing body should ensure that the organizational risk framework, in respect to the management of risk: mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). § 6.9.3.2 ¶ 2 h) {positive impact}The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the organization's positive and negative impacts on these systems. § 6.11.3.3 ¶ 1 c) {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d) {social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's impact on stakeholders; § 6.3.3.1.1 ¶ 2 h) Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Detective | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Detective | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Detective | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Preventive | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Preventive | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Preventive | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Preventive | |
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Preventive | |
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Preventive | |
Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Preventive | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Detective | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Detective | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Preventive | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Leadership and high level objectives | Preventive | |
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: § 6.8.3.2.1 ¶ 1 The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h) The governing body should steer the organizational strategy by means of: reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; § 6.3.3.2.2 ¶ 2 e)] | Leadership and high level objectives | Preventive | |
Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 | Leadership and high level objectives | Preventive | |
Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 | Monitoring and measurement | Detective | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: consequences, such as sanctions, for the non-fulfilment of a responsibility or non-adherence to established parameters are enforceable. § 4.2.2 ¶ 2 e)] | Monitoring and measurement | Corrective | |
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Audits and risk management | Preventive | |
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Audits and risk management | Preventive | |
Exercise due professional care during the planning and performance of the audit. CC ID 07119 | Audits and risk management | Preventive | |
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Preventive | |
Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Detective | |
Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Preventive | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Preventive | |
Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Preventive | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g) To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: effective risk reporting and communication of risk are practised and promoted throughout the organization; § 6.9.3.4 ¶ 1 h) Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3 {environmental system}{social system}The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the risks posed to the organization, and the organization's value generation model, by the natural environmental, social and economic systems within which it operates and by the governing body's decisions; § 6.11.3.4 ¶ 2 b) {environmental system}{social system}The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the risks posed to the natural environmental, social and economic systems by the organization, by the organization's value generation model and by the governing body's decisions. § 6.11.3.4 ¶ 2 c)] | Audits and risk management | Preventive | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Preventive | |
Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g)] | Operational and Systems Continuity | Preventive | |
Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Human Resources management | Preventive | |
Delegate authority for specific processes, as necessary. CC ID 06780 [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: § 4.2.2 ¶ 2 {be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2 The governing body should engage with strategic planning by: delegating as necessary; § 6.3.3.2.1 ¶ 1 b) The governing body should ensure that effective delegation is practised (see 4.2.2), as this is necessary for accountability. § 6.5.3.1 ¶ 2] | Human Resources management | Preventive | |
Implement personnel supervisory practices. CC ID 00773 | Human Resources management | Preventive | |
Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: collaborative relationships with relevant stakeholders are maintained; § 6.6.3 ¶ 3 c) Ethical and effective leadership should be demonstrated in three areas: the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. § 6.7.3.1 ¶ 4 c) Within the organization's external context: The governing body should ensure that the organization treats stakeholders in a manner consistent with its organizational values. § 6.7.3.3 ¶ 1 c) In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the quality and nature of stakeholder relationships and effectiveness of stakeholder engagement; § 6.3.3.1.1 ¶ 2 g) When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. § 6.6.3 ¶ 2] | Human Resources management | Preventive | |
Include management commitment in the occupational health and safety policy. CC ID 16264 | Human Resources management | Preventive | |
Protect personnel from work-related intimidation. CC ID 07046 | Human Resources management | Preventive | |
Include limitations on referrals for products and services in the Code of Conduct. CC ID 16719 | Human Resources management | Preventive | |
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [{be ethical}{be effective} Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. § 6.7.3.4 ¶ 3 {be ethical}{be effective} Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. § 6.7.3.4 ¶ 3] | Human Resources management | Corrective | |
Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 | Human Resources management | Preventive | |
Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: competence and probity in the manner in which it makes decisions. § 5 ¶ 2 c) 5)] | Human Resources management | Preventive | |
Establish, implement, and maintain an ethical culture. CC ID 12781 [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: an ethical culture; § 5 ¶ 2 c) 1) Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: fairness in the treatment of, and engagement with, stakeholders; § 5 ¶ 2 c) 3)] | Human Resources management | Preventive | |
Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Preventive | |
Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Preventive | |
Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Preventive | |
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Preventive | |
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Preventive | |
Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Preventive | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)] | Operational management | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [{individual}{hold accountable} The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. § 6.5.3.1 ¶ 1 To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: § 6.5.3.2 ¶ 1 b) Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: § 5 ¶ 7] | Operational management | Preventive | |
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Operational management | Preventive | |
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Operational management | Preventive | |
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Preventive | |
Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Preventive | |
Notify the complainant regarding any missing information in the take-down request. CC ID 09973 | Acquisition or sale of facilities, technology, and services | Preventive | |
Respond to data access requests in a timely manner. CC ID 00421 | Privacy protection for information and data | Preventive | |
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Detective | |
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Detective | |
Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Preventive | |
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Preventive | |
Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Preventive | |
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a reporting methodology program. CC ID 02072 [The governing body should: set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; § 4.3.2 ¶ 2 c) The governing body should: determine the most appropriate reporting methodologies for the organization, given the expectations of its relevant stakeholders; § 6.5.3.2 ¶ 2 Bullet 1 The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: reporting is coherent so that stakeholders can effectively assess the organization's governance arrangements (see 6.5.3). § 6.6.3 ¶ 3 f) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: report on historic actions and outcomes, as well as future intentions. § 6.5.3.2 ¶ 1 h) {be complete}{be understandable}{be responsive}{be accurate}{be timely}The governing body should: ensure that reported information and disclosed information are material, complete, understandable, responsive, accurate, balanced and timely; § 6.5.3.2 ¶ 2 Bullet 2] | Leadership and high level objectives | Preventive | |
Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive | |
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an internal reporting program. CC ID 12409 [{individual}To exercise effective oversight, the governing body should: require those to whom they have delegated to provide timely and accurate reports on all material aspects of the management of the organization; § 6.4.3.1 ¶ 1 a) The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Leadership and high level objectives | Preventive | |
Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Preventive | |
Identify the material topics required to be reported on. CC ID 15654 | Leadership and high level objectives | Preventive | |
Analyze the business environment in which the organization operates. CC ID 12798 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: § 5 ¶ 5 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; § 6.1.3.2 ¶ 1 a) Take steps to become appropriately informed of all aspects of the organization and the context within which it operates (such as legal, natural environment, social, economic, technical and personnel). Table 2 Column 2 Row 3 Bullet 1] | Leadership and high level objectives | Preventive | |
Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Preventive | |
Analyze the external environment in which the organization operates. CC ID 12799 [Responsible stewardship — The organization: considers the global context; § 5 ¶ 2 b) 3) {social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e)] | Leadership and high level objectives | Preventive | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 [While not defined as stakeholders, the natural environment and society as a whole should also be considered by the governing body in its decision-making because they affect or will be affected by the organization's activities. § 4.2.5 ¶ 2 {legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Preventive | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 [{legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Preventive | |
Include society in the analysis of the external environment. CC ID 12963 [While not defined as stakeholders, the natural environment and society as a whole should also be considered by the governing body in its decision-making because they affect or will be affected by the organization's activities. § 4.2.5 ¶ 2 {legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Preventive | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Preventive | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Preventive | |
Include industry forces in the analysis of the external environment. CC ID 12904 [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)] | Leadership and high level objectives | Preventive | |
Include threats in the analysis of the external environment. CC ID 12898 [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: important issues including global threats that evolve over time (e.g. climate change); § 6.1.3.2 ¶ 1 c)] | Leadership and high level objectives | Preventive | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Preventive | |
Include legal requirements in the analysis of the external environment. CC ID 12896 | Leadership and high level objectives | Preventive | |
Include technology in the analysis of the external environment. CC ID 12837 [{social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Preventive | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 [{legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Preventive | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 [Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to follow, including the parameters within which the organization is to do so. These expectations should be set mindfully and intentionally, considering the context within which the organization operates. § 6.7.3.1 ¶ 1 {internal context} When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: § 6.3.3.1.1 ¶ 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Preventive | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: commitments and obligations associated with organizational activities and value generation processes; § 5 ¶ 5 Bullet 6] | Leadership and high level objectives | Preventive | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 [New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: valuable opportunities are leveraged; § 6.8.3.4 ¶ 1 Bullet 2 To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that issues and opportunities affecting stakeholder expectations are identified and articulated (see 6.9); § 6.10.3 ¶ 1 b) Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: organizational capabilities and opportunities. § 6.1.3.2 ¶ 1 e) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: potential opportunities for innovation. § 6.3.3.1.1 ¶ 2 k) Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: important issues including global threats that evolve over time (e.g. climate change); § 6.1.3.2 ¶ 1 c)] | Leadership and high level objectives | Preventive | |
Prioritize organizational objectives. CC ID 09960 [{social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1] | Leadership and high level objectives | Preventive | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Preventive | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Preventive | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Preventive | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [{member stakeholder}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: expectations of relevant stakeholders, particularly member and reference stakeholders; § 5 ¶ 5 Bullet 3 {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1 {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1 The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's identification of, and engagement with, relevant stakeholders (see 6.6); § 6.4.3.2 ¶ 1 e) The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. § 6.6.1 ¶ 1 The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: § 6.6.3 ¶ 3 The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that the wider organizational stakeholders are considered in the organization's use of information technology, particularly as it relates to human capital. § 6.8.3.4 ¶ 2 f) {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: stakeholders; § 6.9.3.2 ¶ 2 d) 1) {stakeholder engagement process}To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); § 6.10.3 ¶ 1 a) The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. Table 1 Column 4 Row 7 {member stakeholder}{reference stakeholder}Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: member, reference and other relevant stakeholder expectations; § 6.1.3.2 ¶ 1 d) The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: relevant stakeholder expectations (see 6.6 and 6.10); § 6.11.3.1 ¶ 1 Bullet 1 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: relevant stakeholder expectations; § 6.3.3.1.1 ¶ 2 j) Effective performance — The organization: remains in alignment with its policies and relevant stakeholder expectations. § 5 ¶ 2 a) 4) Responsible stewardship — The organization: engenders the trust and confidence of the communities within which it operates, and beyond. § 5 ¶ 2 b) 5) A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: understanding and articulating the opposing perspectives; § 6.7.3.4 ¶ 2 b) {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Preventive | |
Enforce a continuous Quality Control system. CC ID 01005 | Leadership and high level objectives | Detective | |
Correct errors and deficiencies in a timely manner. CC ID 13501 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)] | Leadership and high level objectives | Corrective | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Detective | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Detective | |
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1 The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: identification of all resources involved in the model; § 6.2.3.1 ¶ 4 a) The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the relevant external systems on which the organization depends; § 6.11.3.3 ¶ 1 a)] | Leadership and high level objectives | Preventive | |
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)] | Leadership and high level objectives | Preventive | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Preventive | |
Align the reporting methodology with the decision management strategy. CC ID 15659 | Leadership and high level objectives | Preventive | |
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Leadership and high level objectives | Corrective | |
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)] | Leadership and high level objectives | Preventive | |
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving governance environment. § 4.3.2 ¶ 1 {individual}The governing body should steer the organizational strategy by means of: monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; § 6.3.3.2.2 ¶ 2 g)] | Leadership and high level objectives | Preventive | |
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Preventive | |
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Preventive | |
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Preventive | |
Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Preventive | |
Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Preventive | |
Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Preventive | |
Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Preventive | |
Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Preventive | |
Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Preventive | |
Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Preventive | |
Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Preventive | |
Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Preventive | |
Implement a fraud detection system. CC ID 13081 | Monitoring and measurement | Preventive | |
Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Preventive | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Detective | |
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Preventive | |
Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Preventive | |
Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Preventive | |
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Preventive | |
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Preventive | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Preventive | |
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Preventive | |
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Audits and risk management | Preventive | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Corrective | |
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Preventive | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Detective | |
Integrate the risk management program with the organization's business activities. CC ID 13661 [The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all organizational activities. § 6.9.3.2 ¶ 1 In overseeing risk management, the governing body should specifically assure itself that risk management is integrated into all organizational activities by seeking evidence that, for example: § 6.9.3.4 ¶ 2] | Audits and risk management | Preventive | |
Integrate the risk management program into daily business decision-making. CC ID 13659 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; § 6.9.3.4 ¶ 1 g) The governing body should ensure that the organizational risk framework, in respect to the management of risk: guides decision-making behaviours and the impact of leadership actions, inactions or omissions on those behaviours; § 6.9.3.2 ¶ 2 b)] | Audits and risk management | Preventive | |
Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Preventive | |
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Preventive | |
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Preventive | |
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Audits and risk management | Preventive | |
Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Audits and risk management | Preventive | |
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Preventive | |
Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Preventive | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Audits and risk management | Preventive | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Preventive | |
Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Preventive | |
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Preventive | |
Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Preventive | |
Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Human Resources management | Preventive | |
Place Information Technology operations in a position to support the business model. CC ID 00766 | Human Resources management | Preventive | |
Review organizational personnel successes. CC ID 00767 | Human Resources management | Preventive | |
Evaluate the staffing requirements regularly. CC ID 00775 | Human Resources management | Detective | |
Establish, implement, and maintain an occupational health and safety management system. CC ID 16201 | Human Resources management | Preventive | |
Involve interested personnel and affected parties in occupational health and safety management system processes. CC ID 16274 | Human Resources management | Preventive | |
Refrain from loaning mobile devices to unauthorized personnel. CC ID 15218 | Human Resources management | Preventive | |
Establish, implement, and maintain performance reviews. CC ID 14777 [The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b) The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)] | Human Resources management | Detective | |
Conduct staff performance reviews, as necessary. CC ID 07205 [{individual}The governing body should steer the organizational strategy by means of: monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; § 6.3.3.2.2 ¶ 2 g)] | Human Resources management | Detective | |
Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Preventive | |
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 [To ensure that the organization is acting in a socially responsible way, the governing body should: steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); § 6.10.3 ¶ 1 f) Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5] | Human Resources management | Preventive | |
Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Corrective | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 [The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. § 6.7.1 ¶ 1 Ethical and effective leadership should be demonstrated in three areas: § 6.7.3.1 ¶ 4 The governing body should demonstrate effective leadership across all areas. § 6.7.3.2 ¶ 1 The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. Table 1 Column 4 Row 8 In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2 Ethical leadership results in an organizational context and culture that: provides increased certainty, which in turn, creates reputational value. § 6.7.3.3 ¶ 3 Bullet 5 {be responsible}{be ethical} The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. § 6.8.3.1 ¶ 2 {be ethical}New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: data are used ethically; § 6.8.3.4 ¶ 1 Bullet 1 The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; § 6.9.3.2 ¶ 2 a) Ethical leadership results in an organizational context and culture that: assists in reconciling strategic dilemmas by creating organizational alignment through the integration of opposites; § 6.7.3.3 ¶ 3 Bullet 2 Ethical leadership results in an organizational context and culture that: provides the individuals of an organization with a collective sense of belonging; § 6.7.3.3 ¶ 3 Bullet 1] | Operational management | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Detective | |
Assign resources to implement the internal control framework. CC ID 00816 [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: required resources are available; § 4.2.2 ¶ 2 b) The governing body should steer the organizational strategy by means of: decision-making, specifically, the strategic deployment of resources. § 6.3.3.2.2 ¶ 2 j) {procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)] | Operational management | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)] | Operational management | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [Table 1 describes the structure of the governance principles and lists the principles associated with each category. All principles should be applied, and applied concurrently. § 5 ¶ 3 Governing bodies should ensure that they realize the described governance outcomes through intentionally implementing the practices. § 5 ¶ 6] | Operational management | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 [Responsible stewardship — The organization: makes use of resources in a responsible manner; § 5 ¶ 2 b) 1) {procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)] | Operational management | Preventive | |
Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Preventive | |
Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Preventive | |
Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Preventive | |
Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Preventive | |
Establish, implement, and maintain an asset inventory. CC ID 06631 | Operational management | Preventive | |
Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Preventive | |
Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Preventive | |
Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Preventive | |
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Operational management | Preventive | |
Dispose of hardware and software at their life cycle end. CC ID 06278 | Operational management | Preventive | |
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Preventive | |
Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
Establish, implement, and maintain future system performance forecasting methods. CC ID 11775 | Operational management | Preventive | |
Use proactive performance management. CC ID 00937 | Operational management | Detective | |
Utilize resource availability management controls. CC ID 00940 | Operational management | Detective | |
Establish, implement, and maintain rate limiting filters. CC ID 06883 | Operational management | Preventive | |
Identify and allocate departmental costs. CC ID 00871 | Operational management | Detective | |
Justify the system's cost and benefit. CC ID 00874 [Issues of particular concern to a governing body are where the organization benefits but where the costs for that benefit are incurred by another party. These are sometimes referred to as "negative externalities" or "unpriced impacts" and can be both financial or non-financial in nature. In such cases, the governing body should account for these benefits. § 6.10.3 ¶ 2] | Operational management | Detective | |
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5] | Acquisition or sale of facilities, technology, and services | Preventive | |
Document consumer complaints. CC ID 13903 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include complete information in the take-down request. CC ID 09965 | Acquisition or sale of facilities, technology, and services | Detective | |
Include the complainant's contact information in the take-down request. CC ID 09966 | Acquisition or sale of facilities, technology, and services | Detective | |
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967 | Acquisition or sale of facilities, technology, and services | Detective | |
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968 | Acquisition or sale of facilities, technology, and services | Detective | |
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969 | Acquisition or sale of facilities, technology, and services | Detective | |
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971 | Acquisition or sale of facilities, technology, and services | Detective | |
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972 | Acquisition or sale of facilities, technology, and services | Detective | |
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974 | Acquisition or sale of facilities, technology, and services | Detective | |
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978 | Acquisition or sale of facilities, technology, and services | Preventive | |
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979 | Acquisition or sale of facilities, technology, and services | Preventive | |
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Preventive | |
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Preventive | |
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Privacy protection for information and data | Detective | |
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Preventive | |
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Preventive | |
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Preventive | |
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Preventive | |
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Preventive | |
Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Preventive | |
Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; § 6.5.3.2 ¶ 1 b) 2) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the way in which the organization's performance was achieved and whether this performance was reasonable given the organization's changing context governance policies, including organizational values; § 6.5.3.2 ¶ 1 c) 2) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Preventive | |
Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Preventive | |
Prioritize material topics used in reporting. CC ID 15678 | Leadership and high level objectives | Preventive | |
Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Preventive | |
Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Leadership and high level objectives | Preventive | |
Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 [The governing body should ensure that an overarching value generation model is determined for the organization and is appropriately communicated. § 6.2.3.1 ¶ 1 To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)] | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 [The governing body should ensure that the organizational purpose and organizational values and their centrality are effectively communicated throughout the organization and are available to the organization's stakeholders. § 6.1.3.4 ¶ 2 The governing body should ensure that: the organizational purpose is available to all stakeholders and reflected in the constituting documents where possible; § 6.1.3.2 ¶ 2 Bullet 2 The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1 To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a) To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; § 6.10.3 ¶ 1 d)] | Leadership and high level objectives | Preventive | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 [To ensure that the organization is acting in a socially responsible way, the governing body should: report the organization's social responsibility objectives clearly and transparently so that stakeholders can understand these objectives, how they are being met and what performance is being achieved against them, as well as provide the necessary evidence to support such claims; § 6.10.3 ¶ 1 h)] | Leadership and high level objectives | Preventive | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Leadership and high level objectives | Preventive | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Preventive | |
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Corrective | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 [Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: on the way it has implemented the key aspects of practices in this document and any other practices used to apply the principles; § 5 ¶ 7 Bullet 1] | Leadership and high level objectives | Preventive | |
Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)] | Leadership and high level objectives | Preventive | |
Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 [Be open about decisions and activities that affect the natural environment, society and the economy, and be willing to communicate these in a clear, accurate, timely, honest and complete manner. Table 2 Column 2 Row 4 Bullet 1] | Leadership and high level objectives | Preventive | |
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Preventive | |
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Preventive | |
Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Monitoring and measurement | Corrective | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Preventive | |
Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Preventive | |
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Preventive | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Preventive | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Preventive | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Preventive | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Preventive | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Preventive | |
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 [Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, risk management and compliance management as independent control functions; § 6.4.3.3 ¶ 2 Bullet 2] | Audits and risk management | Preventive | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 [{social context}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the impact the organization has had, and anticipates having, on the resources it uses and the natural environment, social and economic context within which it operates; § 6.5.3.2 ¶ 1 c) 3) The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: reporting on the extent of the organization's impact on these resources and the impact of these resources on one another. § 6.2.3.1 ¶ 4 c) The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Audits and risk management | Preventive | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Preventive | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Preventive | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Preventive | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Preventive | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Preventive | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Preventive | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Preventive | |
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Preventive | |
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Preventive | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Human Resources management | Preventive | |
Disseminate and communicate the occupational health and safety policy to interested personnel and affected parties. CC ID 16270 | Human Resources management | Preventive | |
Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 | Human Resources management | Preventive | |
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Human Resources management | Preventive | |
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 [Disclose actual, potential or perceived conflicts of interest at the earliest opportunity and manage such conflicts appropriately. Table 2 Column 2 Row 2 Bullet 2] | Human Resources management | Preventive | |
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Preventive | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Preventive | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)] | Operational management | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Preventive | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 [In doing so, the governing body provides indications of the organization's governance maturity, among other insights. § 5 ¶ 8 To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: § 6.4.3.3 ¶ 1 To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. § 6.4.3.3 ¶ 1 g)] | Operational management | Preventive | |
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Preventive | |
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Preventive | |
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Preventive | |
Notify the complainant about their rights after receiving a complaint. CC ID 16794 | Acquisition or sale of facilities, technology, and services | Preventive | |
Post contact information in an easily seen location at facilities. CC ID 13812 | Acquisition or sale of facilities, technology, and services | Preventive | |
Provide users a list of the available dispute resolution bodies. CC ID 13814 | Acquisition or sale of facilities, technology, and services | Preventive | |
Post the dispute resolution body's contact information on the organization's website. CC ID 13811 | Acquisition or sale of facilities, technology, and services | Preventive | |
Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795 | Acquisition or sale of facilities, technology, and services | Preventive | |
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 [The recognition that data can be a strategic asset (or liability) means that the governing body should: communicate the nature and extent of the organization's use of data as a demonstration of accountability for this resource. § 6.8.3.3 ¶ 1 e)] | Privacy protection for information and data | Preventive | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1] | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Preventive | |
Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Preventive | |
Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Detective | |
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Preventive | |
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Preventive | |
Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Preventive | |
Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Preventive | |
Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Preventive | |
Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Preventive | |
Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Preventive | |
Enable access control for objects and users on each system. CC ID 04553 | Technical security | Preventive | |
Display previous logon information in the logon banner. CC ID 01415 | Technical security | Preventive | |
Issue devices with secure configurations to individuals traveling to locations deemed to be of risk. CC ID 10598 | Human Resources management | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive | |
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Operational management | Preventive | |
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Preventive | |
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Preventive | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Preventive | |
Address Information Security during the business planning processes. CC ID 06495 | Leadership and high level objectives | Preventive | |
Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Preventive | |
Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Preventive | |
Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Preventive | |
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Preventive | |
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Preventive | |
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Preventive | |
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Preventive | |
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Preventive | |
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Preventive | |
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Preventive | |
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Preventive | |
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Preventive | |
Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Preventive | |
Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Preventive | |
Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Preventive | |
Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Preventive | |
Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Preventive | |
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Preventive | |
Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Preventive | |
Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Preventive | |
Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Preventive | |
Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Preventive | |
Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Preventive | |
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Operational management | Preventive | |
Establish, implement, and maintain a data profiling program. CC ID 13992 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: effective data analytics are employed to correctly assess risk and risk interactions; § 6.9.3.4 ¶ 1 f)] | Records management | Preventive | |
Ensure data sets have the appropriate characteristics. CC ID 15000 | Records management | Detective | |
Ensure data sets are complete, are accurate, and are relevant. CC ID 14999 | Records management | Detective | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Preventive | |
Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Preventive | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Preventive | |
Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Preventive | |
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Preventive | |
Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Preventive | |
Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Preventive | |
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Preventive | |
Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Preventive | |
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Privacy protection for information and data | Preventive | |
Refrain from collecting personal data, as necessary. CC ID 15269 | Privacy protection for information and data | Preventive | |
Use personal data for specified purposes. CC ID 11831 | Privacy protection for information and data | Preventive | |
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Preventive | |
Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Preventive | |
Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Preventive | |
Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Preventive | |
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Preventive | |
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Preventive | |
Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Preventive | |
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Preventive | |
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Preventive | |
Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Preventive | |
Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Preventive | |
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Preventive | |
Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Preventive | |
Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Preventive | |
Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Preventive | |
Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Preventive | |
Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Preventive | |
Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Preventive | |
Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Preventive | |
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Preventive | |
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Preventive | |
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Preventive | |
Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Preventive | |
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Preventive | |
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Preventive | |
Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Preventive | |
Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Preventive | |
Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Preventive | |
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Preventive | |
Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Preventive | |
Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Preventive | |
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Preventive | |
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Preventive | |
Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Preventive | |
Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Preventive | |
Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Preventive | |
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Preventive | |
Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Preventive | |
Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Preventive | |
Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Preventive | |
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Preventive | |
Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Preventive | |
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Preventive | |
Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Preventive | |
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Preventive | |
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Preventive | |
Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Preventive | |
Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Preventive | |
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Preventive | |
Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Preventive | |
Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Preventive | |
Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Preventive | |
Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Preventive | |
Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Preventive | |
Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Preventive | |
Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Preventive | |
Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Preventive | |
Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Preventive | |
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Preventive | |
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Preventive | |
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Preventive | |
Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Preventive | |
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Preventive | |
Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Preventive | |
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Preventive | |
Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Preventive | |
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Preventive | |
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Preventive | |
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Preventive | |
Manage health data collection. CC ID 00050 | Privacy protection for information and data | Preventive | |
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Preventive | |
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Preventive | |
Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Preventive | |
Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Preventive | |
Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Preventive | |
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Preventive | |
Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Preventive | |
Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Preventive | |
Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Preventive | |
Collect restricted data in a fair and lawful manner. CC ID 00010 | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Preventive | |
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent from publicly available information. CC ID 00019 | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent when needed by law. CC ID 00020 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Preventive | |
Collect the minimum amount of restricted data necessary. CC ID 00078 | Privacy protection for information and data | Preventive | |
Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Preventive | |
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Preventive | |
Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Preventive | |
Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Preventive | |
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Preventive | |
Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Preventive | |
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
Limit data leakage. CC ID 00356 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Leadership and high level objectives | Preventive | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Preventive | |
Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Preventive | |
Establish and maintain a compliance oversight committee. CC ID 00765 [The governing body should direct and oversee the organization to ensure accountability is practised throughout (see 6.4). § 6.5.3.3 ¶ 2 {be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2] | Leadership and high level objectives | Detective | |
Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 | Leadership and high level objectives | Preventive | |
Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 | Leadership and high level objectives | Preventive | |
Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 | Leadership and high level objectives | Preventive | |
Involve the Board of Directors or senior management in Information Governance. CC ID 00609 | Leadership and high level objectives | Preventive | |
Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 | Leadership and high level objectives | Preventive | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: carefully scrutinize the reporting lines of those who provide assurance internally, to safeguard their independence and authority (see NOTE 1); § 6.4.3.3 ¶ 1 d)] | Audits and risk management | Preventive | |
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. § 6.4.3.3 ¶ 1 g)] | Audits and risk management | Preventive | |
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Preventive | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Preventive | |
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Audits and risk management | Preventive | |
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Audits and risk management | Preventive | |
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Audits and risk management | Preventive | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Preventive | |
Assign the audit to impartial auditors. CC ID 07118 [The governing body should: assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; § 4.3.2 ¶ 2 d) To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: § 6.4.3.3 ¶ 1] | Audits and risk management | Preventive | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Preventive | |
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [The governing body should ensure that the organizational risk framework, in respect to the management of risk: defines the responsibilities of the governing body and associated delegation across the organization; § 6.9.3.2 ¶ 2 e)] | Audits and risk management | Preventive | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
Include restoration procedures in the continuity plan. CC ID 01169 [The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: actively contribute to conserving and restoring these systems. § 6.11.3.1 ¶ 1 Bullet 2] | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [{be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2] | Human Resources management | Preventive | |
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Human Resources management | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [The governing body can delegate but still remains accountable for what it has delegated and always remains responsible for the organization as a whole. § 4.2.2 ¶ 1 The governing body should establish governance policies and ensure that these: clarify the manner in which the governing body itself is to operate and govern the organization; § 6.3.3.1.2 ¶ 1 f) {individual}{hold accountable} The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. § 6.5.3.1 ¶ 1 Governance is exercised throughout the organization by governing groups, including: the governing body; § 4.2.1 ¶ 1 Bullet 2 At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in this document. § 4.3.1 ¶ 3 {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. Table 1 Column 4 Row 6 The governing body should engage with strategic planning by: establishing clarity about its role in the strategic planning process; § 6.3.3.2.1 ¶ 1 a) The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. § 6.1.3.4 ¶ 1 {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. § 6.5.1 ¶ 1 Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)] | Human Resources management | Preventive | |
Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Human Resources management | Preventive | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Human Resources management | Preventive | |
Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Human Resources management | Preventive | |
Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Human Resources management | Preventive | |
Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Human Resources management | Preventive | |
Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Human Resources management | Preventive | |
Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Human Resources management | Preventive | |
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Human Resources management | Preventive | |
Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Human Resources management | Preventive | |
Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Human Resources management | Preventive | |
Assign a contact person to all business units. CC ID 07144 | Human Resources management | Preventive | |
Assign roles and responsibilities for physical security, as necessary. CC ID 13113 | Human Resources management | Preventive | |
Identify and define all critical roles. CC ID 00777 | Human Resources management | Preventive | |
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Preventive | |
Assign the role of security management to applicable controls. CC ID 06444 | Human Resources management | Preventive | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 | Human Resources management | Preventive | |
Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Preventive | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Preventive | |
Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Human Resources management | Preventive | |
Assign the role of logical access control to applicable controls. CC ID 00772 | Human Resources management | Preventive | |
Assign the role of asset physical security to applicable controls. CC ID 00770 | Human Resources management | Preventive | |
Assign the role of data custodian to applicable controls. CC ID 04789 | Human Resources management | Preventive | |
Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Human Resources management | Preventive | |
Assign interested personnel to the Quality Management committee. CC ID 07193 | Human Resources management | Preventive | |
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Human Resources management | Preventive | |
Assign the role of fire protection management to applicable controls. CC ID 04891 | Human Resources management | Preventive | |
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Human Resources management | Preventive | |
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Human Resources management | Preventive | |
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Human Resources management | Preventive | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Preventive | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: authority matches the level of responsibility, which includes the autonomy to make and fulfil plans to achieve the agreed outcomes within the established parameters; § 4.2.2 ¶ 2 c) Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: the authority matches the level of responsibility associated with the decisions being made; § 6.8.3.2.2 ¶ 1 a) Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. § 4.2.2 ¶ 5 Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: § 6.8.3.2.2 ¶ 1 {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Human Resources management | Preventive | |
Document and communicate role descriptions to all applicable personnel. CC ID 00776 | Human Resources management | Detective | |
Rotate duties amongst the critical roles and positions. CC ID 06554 | Human Resources management | Preventive | |
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Preventive | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: § 6.8.3.2.2 ¶ 1] | Operational management | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
Classify assets according to the Asset Classification Policy. CC ID 07186 | Operational management | Preventive | |
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Operational management | Preventive | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)] | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain communication protocols. CC ID 12245 [The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: an open and transparent communication culture within the organization is created and maintained to help bridge the gap between diverse stakeholder groups and varying perspectives based on, for example, gender, age, belief systems or cognitive abilities; § 6.6.3 ¶ 3 e) The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5] | Leadership and high level objectives | Preventive | |
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [{be within}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: are transparent but also within the limits of confidentiality; § 6.5.3.2 ¶ 1 f) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Leadership and high level objectives | Preventive | |
Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Preventive | |
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [When defining the organizational values, the governing body should ensure that: all relevant stakeholders are engaged; § 6.1.3.3 ¶ 1 a) For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Improvements should be applied as the result of feedback from reporting, disclosure and dialogue activities. § 6.5.3.2 ¶ 3 The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. § 6.6.1 ¶ 1 The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 {stakeholder engagement process}To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); § 6.10.3 ¶ 1 a) To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when establishing and reviewing governance policies; § 6.10.3 ¶ 1 e) The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. Table 1 Column 4 Row 7 {be responsible}{be accurate}The governing body should ensure that the organizational risk framework, in respect to the management of risk: mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). § 6.9.3.2 ¶ 2 h) The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: relevant stakeholders are engaged in achieving the organizational purpose via its organizational strategy; § 6.6.3 ¶ 3 a) To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; § 6.10.3 ¶ 1 d) {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Leadership and high level objectives | Preventive | |
Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Leadership and high level objectives | Preventive | |
Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Preventive | |
Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Preventive | |
Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Preventive | |
Define the thresholds for reporting in the external reporting program. CC ID 15679 | Leadership and high level objectives | Preventive | |
Include information about the organizational culture in the external reporting program. CC ID 15610 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the organizational culture, including the organizational behaviour and perceptions of the organization's behaviour provided by relevant stakeholders; § 6.5.3.2 ¶ 1 c) 5)] | Leadership and high level objectives | Preventive | |
Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Preventive | |
Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Preventive | |
Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Preventive | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain organizational objectives. CC ID 09959 [Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to follow, including the parameters within which the organization is to do so. These expectations should be set mindfully and intentionally, considering the context within which the organization operates. § 6.7.3.1 ¶ 1 Within the organization: The organization should fulfil the expectations set by the governing body. § 6.7.3.2 ¶ 1 b) {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1 The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. § 6.3.3.1.1 ¶ 1 Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a value generation model. CC ID 15591 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: value generation model and organizational strategy; § 5 ¶ 5 Bullet 5 {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the value generation model; § 6.9.3.2 ¶ 2 d) 5) The governing body should ensure that an overarching value generation model is determined for the organization and is appropriately communicated. § 6.2.3.1 ¶ 1 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a) Therefore, the governing body should: ensure that interactions and dependencies within the organization's value generation model are articulated in an integrated manner; § 6.11.3.1 ¶ 2 a) {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3 The governing body should ensure that the organization's value generation model (see 6.2): describes how the organization's key structures, processes, relationships, information, decision-making, reporting and other aspects inter-relate and are used to generate value over time. § 6.11.3.2 ¶ 1 b)] | Leadership and high level objectives | Preventive | |
Include value distribution in the value generation model. CC ID 15603 [{procedure}This value generation model should clarify: how the value generated is to be retained and distributed (sustain). § 6.2.3.1 ¶ 2 Bullet 4 {be viable} The governing body should ensure that value is retained and distributed in a manner that ensures that the organization is agile, viable over time and achieves its value generation objectives. § 6.2.3.5 ¶ 1 The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Leadership and high level objectives | Preventive | |
Include value retention in the value generation model. CC ID 15600 [{procedure}This value generation model should clarify: how the value generated is to be retained and distributed (sustain). § 6.2.3.1 ¶ 2 Bullet 4 {be viable} The governing body should ensure that value is retained and distributed in a manner that ensures that the organization is agile, viable over time and achieves its value generation objectives. § 6.2.3.5 ¶ 1 The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Leadership and high level objectives | Preventive | |
Include value generation procedures in the value generation model. CC ID 15599 [{procedure}This value generation model should clarify: how the organization should generate that value (create); § 6.2.3.1 ¶ 2 Bullet 2 The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) {procedure}This value generation model should clarify: how the generation of value will be assured (deliver); § 6.2.3.1 ¶ 2 Bullet 3] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain value generation objectives. CC ID 15583 [Effective performance — The organization: generates value for stakeholders; § 5 ¶ 2 a) 3) {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1 Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: determining the organization's approach to value generation; § 4.1 ¶ 3 b) {social context}{economic context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social, and economic context within which it operates. Table 1 Column 4 Row 3 {social context}{economic context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. § 6.2.1 ¶ 1 This value generation model should clarify: what value the organization is intending to generate (define); § 6.2.3.1 ¶ 2 Bullet 1 {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1 The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: § 6.2.3.4 ¶ 1 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the defined value generation objectives; § 6.3.3.1.1 ¶ 2 d) The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so that the generation of value in the present context is balanced with the innovation required to generate value in the future. § 6.3.3.2.2 ¶ 1 The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: assurance is obtained on the realization of the value generation objectives. § 6.2.3.4 ¶ 1 c)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 [The governing body should ensure that the organization considers undertaking specific measures to contribute to the wellbeing of society. Philanthropy can have a positive impact on society. However, it should not be used by an organization as a substitute for integrating social responsibility into the organization (see ISO 26000:2010, 3.3.4). § 6.10.3 ¶ 3 The governing body should ensure that the organization considers undertaking specific measures to contribute to the wellbeing of society. Philanthropy can have a positive impact on society. However, it should not be used by an organization as a substitute for integrating social responsibility into the organization (see ISO 26000:2010, 3.3.4). § 6.10.3 ¶ 3] | Leadership and high level objectives | Preventive | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 [{be dynamic}{be sensitive}The governing body should ensure that: the organizational purpose remains dynamic and sensitive to the changing context within which the organization operates. § 6.1.3.2 ¶ 2 Bullet 4 When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: organizational purpose and organizational values; § 5 ¶ 5 Bullet 1 {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the organizational purpose; § 6.9.3.2 ¶ 2 d) 3) {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the organizational values; § 6.9.3.2 ¶ 2 d) 4) Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: setting and committing to the organizational purpose and organizational values; § 4.1 ¶ 3 a) Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 Effective performance — The organization: is true to its purpose; § 5 ¶ 2 a) 1)] | Leadership and high level objectives | Preventive | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Preventive | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 [{member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1 To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the organizational purpose expresses the organization's approach to stakeholders; § 6.10.3 ¶ 1 c) The governing body should ensure that: the essence of the organizational purpose is documented in a summary statement to promote effective communication and to assess and determine organization-wide actions and success; § 6.1.3.2 ¶ 2 Bullet 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; § 6.1.3.2 ¶ 1 a) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a) The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Leadership and high level objectives | Preventive | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Preventive | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b) The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Leadership and high level objectives | Preventive | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Leadership and high level objectives | Preventive | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Leadership and high level objectives | Preventive | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Leadership and high level objectives | Preventive | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the organization's performance in fulfilling the organizational purpose; § 6.5.3.2 ¶ 1 c) 1) To ensure that the organization is acting in a socially responsible way, the governing body should: report the organization's social responsibility objectives clearly and transparently so that stakeholders can understand these objectives, how they are being met and what performance is being achieved against them, as well as provide the necessary evidence to support such claims; § 6.10.3 ¶ 1 h) The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the integrated view of the relationships between the organization's value generation model and the systems on which this depends (and which the organization also affects through its value generation); § 6.11.3.4 ¶ 2 a) The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. § 6.1.3.4 ¶ 1 The governing body should ensure that the organization's value generation model (see 6.2): describes how the organization's key structures, processes, relationships, information, decision-making, reporting and other aspects inter-relate and are used to generate value over time. § 6.11.3.2 ¶ 1 b) Be open about decisions and activities that affect the natural environment, society and the economy, and be willing to communicate these in a clear, accurate, timely, honest and complete manner. Table 2 Column 2 Row 4 Bullet 1] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 [The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. § 6.8.1 ¶ 1 The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1 The recognition that data can be a strategic asset (or liability) means that the governing body should: acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; § 6.8.3.3 ¶ 1 c) The recognition that data can be a strategic asset (or liability) means that the governing body should: understand the use, and potential use, of data by the organization and others (e.g. suppliers, customers, regulators and other relevant stakeholders as well as competitors and those who can misuse the data); § 6.8.3.3 ¶ 1 b) The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: § 6.8.3.4 ¶ 2 The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. Table 1 Column 4 Row 9 {be responsible}{be ethical} The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. § 6.8.3.1 ¶ 2 The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); § 6.4.3.2 ¶ 1 h) The recognition that data can be a strategic asset (or liability) means that the governing body should: ensure that the organization establishes a formal approach to its management of data and, where necessary, assurance is provided (see 6.4.3); § 6.8.3.3 ¶ 1 a)] | Leadership and high level objectives | Preventive | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Preventive | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Preventive | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Preventive | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Preventive | |
Include data monitoring in the data governance and management practices. CC ID 15303 [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1 The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the adoption of a system to ensure the rights, obligations and constraints of data sets are understood and tracked, e.g. privacy and intellectual property right obligations; § 6.8.3.4 ¶ 2 a)] | Leadership and high level objectives | Preventive | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the adoption of a system to ensure the rights, obligations and constraints of data sets are understood and tracked, e.g. privacy and intellectual property right obligations; § 6.8.3.4 ¶ 2 a)] | Leadership and high level objectives | Preventive | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Preventive | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Preventive | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Leadership and high level objectives | Preventive | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Leadership and high level objectives | Preventive | |
Approve the data classification scheme. CC ID 13858 | Leadership and high level objectives | Detective | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Leadership and high level objectives | Preventive | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Leadership and high level objectives | Preventive | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Leadership and high level objectives | Preventive | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Leadership and high level objectives | Preventive | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Leadership and high level objectives | Preventive | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Leadership and high level objectives | Preventive | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Leadership and high level objectives | Preventive | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Leadership and high level objectives | Preventive | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Leadership and high level objectives | Preventive | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Leadership and high level objectives | Preventive | |
Include the data source in the data dictionary. CC ID 13519 | Leadership and high level objectives | Preventive | |
Include the nature of each element in the data dictionary. CC ID 13518 | Leadership and high level objectives | Preventive | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 [Responsible stewardship — The organization: ensures its contribution to sustainable development; § 5 ¶ 2 b) 4) {be viable} The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. Table 1 Column 4 Row 12 {be viable} The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. § 6.11.1 ¶ 1 The aim of governance, and the duty of the governing body, is to create the conditions for, and to enable, the organization to perform over time, such that it fulfils its organizational purpose and generates value as intended. An organization can be said to be contributing to sustainable development, and to be sustainable, when it generates value in a manner that meets the needs of the present without compromising the ability of future generations to meet their own needs. By aligning an organization's governance with sustainable development, e.g. via the UN SDGs, governing bodies help create the conditions for an organization's future success. As a result, governing bodies should ensure that sustainable development and sustainability are fundamental considerations when governing and applying the governance principles in this document. § 4.2.4 ¶ 1] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Preventive | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Preventive | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Preventive | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Preventive | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Preventive | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Preventive | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Preventive | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 | Leadership and high level objectives | Preventive | |
Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Preventive | |
Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Preventive | |
Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Preventive | |
Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Preventive | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Preventive | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Preventive | |
Include resource management in the quality management system. CC ID 15026 [The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: § 6.2.3.1 ¶ 4 The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: recognizes and optimizes the interaction between the required resources. § 6.2.3.3 ¶ 1 c) The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)] | Leadership and high level objectives | Preventive | |
Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Preventive | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Preventive | |
Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Preventive | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Leadership and high level objectives | Preventive | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Preventive | |
Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Preventive | |
Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Detective | |
Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Preventive | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [Ethical and effective leadership should be demonstrated in three areas: the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. § 6.7.3.1 ¶ 4 c) {human right}The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: human and labour rights in all countries of operation are respected; § 6.6.3 ¶ 3 d) Within the organization's external context: Where the organization has set contextual expectations, such as commitments to stakeholders and the natural environment, the organization should fulfil these expectations as set. § 6.7.3.2 ¶ 1 c) {external system}The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the inter-relationships between the organization and these systems; § 6.11.3.3 ¶ 1 b)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 | Leadership and high level objectives | Preventive | |
Approve all compliance documents. CC ID 06286 [{individual}The governing body should engage with strategic planning by: reviewing, assessing and approving the plans developed by those to whom they have delegated; § 6.3.3.2.1 ¶ 1 c)] | Leadership and high level objectives | Preventive | |
Align the Authority Document list with external requirements. CC ID 06288 [The governing body should ensure that: the organizational purpose is available to all stakeholders and reflected in the constituting documents where possible; § 6.1.3.2 ¶ 2 Bullet 2] | Leadership and high level objectives | Preventive | |
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Preventive | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Preventive | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Detective | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Leadership and high level objectives | Preventive | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Preventive | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Preventive | |
Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 | Leadership and high level objectives | Detective | |
Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 | Leadership and high level objectives | Preventive | |
Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 | Leadership and high level objectives | Detective | |
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a strategic plan. CC ID 12784 [Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: directing and engaging with strategy to generate value; § 4.1 ¶ 3 c) The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. Table 1 Column 4 Row 4 Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. § 6.3.1 ¶ 1 {individual}The governing body should engage with strategic planning by: reviewing, assessing and approving the plans developed by those to whom they have delegated; § 6.3.3.2.1 ¶ 1 c) The governing body should engage with strategic planning by: overseeing (see 6.4) the implementation of these plans and ensuring that they meet the agreed strategic outcomes. § 6.3.3.2.1 ¶ 1 d) The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so that the generation of value in the present context is balanced with the innovation required to generate value in the future. § 6.3.3.2.2 ¶ 1 The governing body should steer the organizational strategy by means of: § 6.3.3.2.2 ¶ 2 Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4 The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)] | Leadership and high level objectives | Preventive | |
Include acting with integrity in the strategic plan. CC ID 12870 [At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in this document. § 4.3.1 ¶ 3] | Leadership and high level objectives | Preventive | |
Include the outsource partners in the strategic plan, as necessary. CC ID 13960 | Leadership and high level objectives | Preventive | |
Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a planning policy. CC ID 14673 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain planning procedures. CC ID 14698 | Leadership and high level objectives | Preventive | |
Include compliance requirements in the planning policy. CC ID 14688 | Leadership and high level objectives | Preventive | |
Include coordination amongst entities in the planning policy. CC ID 14687 | Leadership and high level objectives | Preventive | |
Include management commitment in the planning policy. CC ID 14686 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the planning policy. CC ID 14685 | Leadership and high level objectives | Preventive | |
Include the scope in the planning policy. CC ID 14684 | Leadership and high level objectives | Preventive | |
Include the purpose in the planning policy. CC ID 14683 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a security planning policy. CC ID 14027 | Leadership and high level objectives | Preventive | |
Include compliance requirements in the security planning policy. CC ID 14131 | Leadership and high level objectives | Preventive | |
Include coordination amongst entities in the security planning policy. CC ID 14130 | Leadership and high level objectives | Preventive | |
Include management commitment in the security planning policy. CC ID 14129 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the security planning policy. CC ID 14128 | Leadership and high level objectives | Preventive | |
Include the scope in the security planning policy. CC ID 14127 | Leadership and high level objectives | Preventive | |
Include the purpose in the security planning policy. CC ID 14126 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain security planning procedures. CC ID 14060 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: § 6.8.3.2.1 ¶ 1 The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b) The governing body should ensure that decisions are transparent and aligned with broader societal expectations. Table 1 Column 4 Row 11 Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: competence and probity in the manner in which it makes decisions. § 5 ¶ 2 c) 5) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: maintain an appropriate balance between guiding discussions to a decision and ensuring that every member has the opportunity to express their independent assessment; § 6.8.3.2.1 ¶ 1 a) Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. Table 2 Column 2 Row 3 Bullet 2 The governing body should ensure that decisions are transparent and aligned with broader societal expectations. § 6.10.1 ¶ 1 The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) The governing body should steer the organizational strategy by means of: reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; § 6.3.3.2.2 ¶ 2 e) The governing body should steer the organizational strategy by means of: decision-making, specifically, the strategic deployment of resources. § 6.3.3.2.2 ¶ 2 j) A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: reconciling the perspectives, considering how each position can support the other; § 6.7.3.4 ¶ 2 d) {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1 Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4 The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)] | Leadership and high level objectives | Preventive | |
Include an economic impact analysis in the decision management strategy. CC ID 14015 | Leadership and high level objectives | Preventive | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 | Leadership and high level objectives | Preventive | |
Include criteria for compliance in the decision-making criteria. CC ID 12951 | Leadership and high level objectives | Preventive | |
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 | Leadership and high level objectives | Preventive | |
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h)] | Leadership and high level objectives | Preventive | |
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 [A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: identifying the advantages and disadvantages of each; § 6.7.3.4 ¶ 2 c)] | Leadership and high level objectives | Preventive | |
Identify and document the events that initiate the decision management strategy. CC ID 06914 [A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: recognizing and identifying the dilemma; § 6.7.3.4 ¶ 2 a)] | Leadership and high level objectives | Detective | |
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b) When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: expected outcomes are negotiated, specified and agreed; § 4.2.2 ¶ 2 a)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an information technology process framework. CC ID 13648 | Leadership and high level objectives | Preventive | |
Include maturity models in the Information Technology process framework. CC ID 13652 | Leadership and high level objectives | Preventive | |
Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 | Leadership and high level objectives | Preventive | |
Include Information Technology process structures in the Information Technology process framework. CC ID 13650 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a tactical plan. CC ID 12785 [The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. § 6.3.3.1.1 ¶ 1] | Leadership and high level objectives | Preventive | |
Include acting with integrity in the tactical plan. CC ID 12871 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: § 6.8.3.4 ¶ 2 The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e) The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; § 6.8.3.4 ¶ 2 d)] | Leadership and high level objectives | Preventive | |
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 [The recognition that data can be a strategic asset (or liability) means that the governing body should: acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; § 6.8.3.3 ¶ 1 c) The recognition that data can be a strategic asset (or liability) means that the governing body should: ensure that the information requirements of the organization are sufficiently supported by its current and future technology capabilities; § 6.8.3.3 ¶ 1 d)] | Leadership and high level objectives | Preventive | |
Include the transparency goals in the Information Governance Plan. CC ID 10056 | Leadership and high level objectives | Preventive | |
Include the information integrity goals in the Information Governance Plan. CC ID 10057 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: give confidence in the integrity of the information used, e.g. describing assurance processes applied (see 6.4); § 6.5.3.2 ¶ 1 e)] | Leadership and high level objectives | Preventive | |
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Leadership and high level objectives | Preventive | |
Align business continuity objectives with the business continuity policy. CC ID 12408 | Leadership and high level objectives | Preventive | |
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Leadership and high level objectives | Preventive | |
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Preventive | |
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Leadership and high level objectives | Preventive | |
Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Leadership and high level objectives | Preventive | |
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 | Leadership and high level objectives | Preventive | |
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Leadership and high level objectives | Preventive | |
Include milestones for each project phase in the Information Technology project plan. CC ID 12621 | Leadership and high level objectives | Preventive | |
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Leadership and high level objectives | Corrective | |
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Leadership and high level objectives | Preventive | |
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Leadership and high level objectives | Preventive | |
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Leadership and high level objectives | Preventive | |
Include a search plan in the counterterror protective security plan. CC ID 06865 | Leadership and high level objectives | Preventive | |
Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Leadership and high level objectives | Preventive | |
Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b) {be financially sound}The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's financial results and financial resources, ensuring that the organization remains financially sound; § 6.4.3.2 ¶ 1 f)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Preventive | |
Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Preventive | |
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Leadership and high level objectives | Preventive | |
Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Preventive | |
Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Preventive | |
Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Preventive | |
Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Preventive | |
Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Preventive | |
Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Preventive | |
Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Preventive | |
Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Preventive | |
Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Preventive | |
Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Preventive | |
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Preventive | |
Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Preventive | |
Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Preventive | |
Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Preventive | |
Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Preventive | |
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Preventive | |
Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Preventive | |
Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Preventive | |
Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Preventive | |
Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Preventive | |
Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Preventive | |
Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Preventive | |
Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Preventive | |
Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Preventive | |
Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Preventive | |
Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Preventive | |
Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Preventive | |
Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Preventive | |
Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Preventive | |
Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Preventive | |
Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Preventive | |
Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Preventive | |
Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Preventive | |
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Preventive | |
Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Preventive | |
Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Preventive | |
Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Preventive | |
Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Preventive | |
Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Preventive | |
Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Preventive | |
Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Preventive | |
Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Preventive | |
Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Preventive | |
Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Preventive | |
Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Preventive | |
Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Preventive | |
Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Preventive | |
Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)] | Leadership and high level objectives | Preventive | |
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Preventive | |
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Preventive | |
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Preventive | |
Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Preventive | |
Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Preventive | |
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Preventive | |
Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Preventive | |
Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Preventive | |
Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Preventive | |
Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Preventive | |
Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Preventive | |
Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Preventive | |
Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Preventive | |
Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Preventive | |
Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Preventive | |
Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Preventive | |
Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Preventive | |
Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Preventive | |
Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Preventive | |
Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Preventive | |
Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Preventive | |
Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Preventive | |
Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Preventive | |
Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Preventive | |
Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 [The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Leadership and high level objectives | Preventive | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Preventive | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Preventive | |
Include the business need justification for lost value in the financial report. CC ID 15588 [The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Leadership and high level objectives | Preventive | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Preventive | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Preventive | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Preventive | |
Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Preventive | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Preventive | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Preventive | |
Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b) To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d) The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Monitoring and measurement | Preventive | |
Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Preventive | |
Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Preventive | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Preventive | |
Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Preventive | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Preventive | |
Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Preventive | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: overseeing that the organization performs and behaves according to the expectations set by the governing body; § 4.1 ¶ 3 d)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 [The governing body should: set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; § 4.3.2 ¶ 2 c)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Preventive | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [Recognize failures and mistakes and take appropriate action. Table 2 Column 2 Row 2 Bullet 5] | Monitoring and measurement | Preventive | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 [{individual}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: those who can influence the decisions of the governing body (such as member stakeholders, reference stakeholders and other stakeholders who can exert a controlling influence) and the nature and level of influence; § 6.5.3.2 ¶ 1 c) 4) The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a metrics standard and template. CC ID 02157 [The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: § 6.2.3.3 ¶ 1 The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i) Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Preventive | |
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Preventive | |
Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Preventive | |
Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Preventive | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Preventive | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Preventive | |
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Preventive | |
Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Audits and risk management | Preventive | |
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Audits and risk management | Preventive | |
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Audits and risk management | Preventive | |
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Audits and risk management | Preventive | |
Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Audits and risk management | Preventive | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Preventive | |
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Audits and risk management | Preventive | |
Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Audits and risk management | Preventive | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Audits and risk management | Preventive | |
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Audits and risk management | Preventive | |
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Audits and risk management | Preventive | |
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Audits and risk management | Preventive | |
Establish, implement, and maintain an audit program. CC ID 00684 [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; § 6.4.3.3 ¶ 1 f) Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4] | Audits and risk management | Preventive | |
Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Preventive | |
Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Preventive | |
Include risks and opportunities in the audit program. CC ID 15236 [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; § 6.4.3.3 ¶ 1 f)] | Audits and risk management | Preventive | |
Establish and maintain audit terms. CC ID 13880 | Audits and risk management | Preventive | |
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Preventive | |
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Preventive | |
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Preventive | |
Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Preventive | |
Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Preventive | |
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Preventive | |
Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Preventive | |
Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Preventive | |
Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Preventive | |
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Preventive | |
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Preventive | |
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Preventive | |
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Preventive | |
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Preventive | |
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Preventive | |
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Preventive | |
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Preventive | |
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Preventive | |
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Preventive | |
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Preventive | |
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Preventive | |
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Preventive | |
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Preventive | |
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Preventive | |
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Preventive | |
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Detective | |
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Preventive | |
Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Preventive | |
Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Preventive | |
Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Preventive | |
Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Preventive | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Preventive | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Audits and risk management | Preventive | |
Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Preventive | |
Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Preventive | |
Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Preventive | |
Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Preventive | |
Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Preventive | |
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Preventive | |
Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Preventive | |
Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Preventive | |
Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Preventive | |
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Preventive | |
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Preventive | |
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Preventive | |
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Preventive | |
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Preventive | |
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Preventive | |
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Preventive | |
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Preventive | |
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Preventive | |
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Preventive | |
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Preventive | |
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Preventive | |
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Preventive | |
Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Detective | |
Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Preventive | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Preventive | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Preventive | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Preventive | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Preventive | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Preventive | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Preventive | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Preventive | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Preventive | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Preventive | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Preventive | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Preventive | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Preventive | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Preventive | |
Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Preventive | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Preventive | |
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Preventive | |
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Preventive | |
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Preventive | |
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: determine the level of assurance scrutiny it requires, depending on the assessed risk; § 6.4.3.3 ¶ 1 a)] | Audits and risk management | Preventive | |
Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Preventive | |
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Preventive | |
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Corrective | |
Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Preventive | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Audits and risk management | Preventive | |
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Preventive | |
Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Preventive | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Preventive | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Preventive | |
Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Preventive | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Preventive | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Preventive | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Preventive | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Preventive | |
Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Preventive | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Preventive | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Preventive | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Preventive | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Preventive | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Preventive | |
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Preventive | |
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Preventive | |
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Preventive | |
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Preventive | |
Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Preventive | |
Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Detective | |
Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Preventive | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Preventive | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Preventive | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Preventive | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Preventive | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Preventive | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Preventive | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Preventive | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Preventive | |
Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Preventive | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Preventive | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Preventive | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Preventive | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Preventive | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Preventive | |
Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Preventive | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Preventive | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Preventive | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Preventive | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Preventive | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Preventive | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Preventive | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Preventive | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Preventive | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Preventive | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Preventive | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Preventive | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Preventive | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Preventive | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Preventive | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Preventive | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Preventive | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Preventive | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Preventive | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Preventive | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Preventive | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Preventive | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Preventive | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Preventive | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Preventive | |
Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Preventive | |
Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Preventive | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Preventive | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Preventive | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Preventive | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Preventive | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Preventive | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Preventive | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Preventive | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Preventive | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Preventive | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Preventive | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Preventive | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Preventive | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Detective | |
Review past audit reports. CC ID 01155 | Audits and risk management | Detective | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Detective | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Preventive | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Preventive | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Preventive | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Corrective | |
Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Preventive | |
Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Preventive | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Preventive | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Corrective | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Preventive | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Preventive | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Preventive | |
Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Preventive | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Preventive | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Preventive | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Preventive | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Preventive | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Preventive | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Preventive | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Preventive | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Corrective | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Preventive | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4] | Audits and risk management | Preventive | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Preventive | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Preventive | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Detective | |
Accept the audit report. CC ID 07025 | Audits and risk management | Preventive | |
Implement a corrective action plan in response to the audit report. CC ID 06777 | Audits and risk management | Corrective | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Audits and risk management | Preventive | |
Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
Include the allocation of resources in the audit plan. CC ID 15251 [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; § 6.4.3.3 ¶ 1 b)] | Audits and risk management | Preventive | |
Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b) The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all organizational activities. § 6.9.3.2 ¶ 1 The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the intended risk management performance is achieved. § 6.9.3.4 ¶ 1 i) {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Audits and risk management | Preventive | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Audits and risk management | Preventive | |
Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Preventive | |
Establish, implement, and maintain risk management strategies. CC ID 13209 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: strategies to manage risk are deployed within agreed risk limits and associated risk tolerance; § 6.9.3.4 ¶ 1 b)] | Audits and risk management | Preventive | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Preventive | |
Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Audits and risk management | Preventive | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Preventive | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 [The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: § 6.9.3.3 ¶ 1] | Audits and risk management | Preventive | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 | Audits and risk management | Preventive | |
Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Preventive | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Audits and risk management | Preventive | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Preventive | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Preventive | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Preventive | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Preventive | |
Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Preventive | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Preventive | |
Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Preventive | |
Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Preventive | |
Establish, implement, and maintain risk assessment procedures. CC ID 06446 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the process for assessing risk is consistent throughout the organization, enabling effective comparison and prioritization of risk; § 6.9.3.4 ¶ 1 e) The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)] | Audits and risk management | Preventive | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Audits and risk management | Preventive | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Preventive | |
Document cybersecurity risks. CC ID 12281 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Preventive | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 [The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: § 6.9.3.3 ¶ 1] | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Preventive | |
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Preventive | |
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Preventive | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Audits and risk management | Preventive | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Preventive | |
Document organizational risk criteria. CC ID 12277 [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the risk appetite, which involves setting risk criteria and associated limits; § 6.9.3.2 ¶ 2 g)] | Audits and risk management | Preventive | |
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Preventive | |
Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Preventive | |
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Audits and risk management | Preventive | |
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Audits and risk management | Preventive | |
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Audits and risk management | Preventive | |
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Audits and risk management | Preventive | |
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Preventive | |
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Audits and risk management | Preventive | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Preventive | |
Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Audits and risk management | Preventive | |
Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Detective | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Detective | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Preventive | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Preventive | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Preventive | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Preventive | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Preventive | |
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Preventive | |
Document organizational risk tolerance in a risk register. CC ID 09961 | Audits and risk management | Preventive | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{positive impact}Responsible stewardship — The organization: effectively balances positive and negative impacts; § 5 ¶ 2 b) 2) The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the risk appetite, which involves setting risk criteria and associated limits; § 6.9.3.2 ¶ 2 g) The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: balances the achievement of the value generation objectives against potential impacts; § 6.2.3.3 ¶ 1 a)] | Audits and risk management | Preventive | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the choice of risk treatments is consistent with governance policies; § 6.9.3.4 ¶ 1 c)] | Audits and risk management | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Detective | |
Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d) The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)] | Audits and risk management | Preventive | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Preventive | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Audits and risk management | Preventive | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Audits and risk management | Corrective | |
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Preventive | |
Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Preventive | |
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Preventive | |
Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Preventive | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Preventive | |
Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Preventive | |
Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Preventive | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Preventive | |
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Audits and risk management | Preventive | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b) The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1 The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a) The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)] | Audits and risk management | Corrective | |
Review and approve the risk assessment findings. CC ID 06485 [The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)] | Audits and risk management | Preventive | |
Include risk responses in the risk management program. CC ID 13195 | Audits and risk management | Preventive | |
Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Corrective | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Preventive | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Preventive | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Preventive | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Preventive | |
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Audits and risk management | Preventive | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Preventive | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Preventive | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Preventive | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Preventive | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Preventive | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Preventive | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Preventive | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Preventive | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Preventive | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Preventive | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Preventive | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Preventive | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Preventive | |
Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Preventive | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Preventive | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Preventive | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 | Audits and risk management | Preventive | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Preventive | |
Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Preventive | |
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Preventive | |
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Preventive | |
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Preventive | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity framework. CC ID 00732 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Preventive | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Operational and Systems Continuity | Preventive | |
Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a critical third party list. CC ID 06815 | Operational and Systems Continuity | Preventive | |
Define the scope for the security operations center. CC ID 15713 | Human Resources management | Preventive | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Preventive | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: capacity; § 4.3.1 ¶ 1 Bullet 4 The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: probity; § 4.3.1 ¶ 1 Bullet 5 The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: commitment. § 4.3.1 ¶ 1 Bullet 6 The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: § 4.3.1 ¶ 1] | Human Resources management | Preventive | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: diversity and inclusion; § 4.3.1 ¶ 1 Bullet 2] | Human Resources management | Preventive | |
Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Human Resources management | Preventive | |
Define and assign the security staff roles and responsibilities. CC ID 11750 | Human Resources management | Preventive | |
Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 | Human Resources management | Preventive | |
Assign the roles and responsibilities for the asset management system. CC ID 14368 | Human Resources management | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Detective | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Preventive | |
Document the security clearance procedure results. CC ID 01635 | Human Resources management | Detective | |
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 | Human Resources management | Preventive | |
Establish and maintain an annual report on compensation. CC ID 14801 | Human Resources management | Preventive | |
Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Human Resources management | Preventive | |
Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Human Resources management | Preventive | |
Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Human Resources management | Preventive | |
Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 [The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)] | Human Resources management | Preventive | |
Establish, implement, and maintain an occupational health and safety policy. CC ID 00716 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)] | Human Resources management | Preventive | |
Include a commitment to continuous improvement in the occupational health and safety policy. CC ID 16267 | Human Resources management | Preventive | |
Include risks and opportunities in the occupational health and safety policy. CC ID 16287 | Human Resources management | Preventive | |
Include occupational health and safety objectives in the occupational health and safety policy. CC ID 16262 | Human Resources management | Preventive | |
Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073 | Human Resources management | Preventive | |
Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802 | Human Resources management | Preventive | |
Establish, implement, and maintain food preparation procedures. CC ID 06804 | Human Resources management | Preventive | |
Establish, implement, and maintain food handling procedures. CC ID 11765 | Human Resources management | Preventive | |
Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: consider its level of independence and the effect this level has on its decision-making, including financial interests, position, associations, relationships, bias and alliances; § 6.8.3.2.1 ¶ 1 c) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: carefully address conflicts of interest when making decisions; § 6.8.3.2.1 ¶ 1 d) Disclose actual, potential or perceived conflicts of interest at the earliest opportunity and manage such conflicts appropriately. Table 2 Column 2 Row 2 Bullet 2] | Human Resources management | Preventive | |
Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Human Resources management | Preventive | |
Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Human Resources management | Preventive | |
Establish, implement, and maintain a Code of Conduct. CC ID 04897 [Ethical leadership results in an organizational context and culture that: contributes to the prevention of misconduct; § 6.7.3.3 ¶ 3 Bullet 3 Act in good faith and in the best interest of the organization. Table 2 Column 2 Row 2 Bullet 1 {be ethical} Act ethically and in a compliant manner. Table 2 Column 2 Row 2 Bullet 3 Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: § 5 ¶ 2 c) Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4 The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)] | Human Resources management | Preventive | |
Establish, implement, and maintain a code of conduct for financial recommendations. CC ID 16649 | Human Resources management | Preventive | |
Include anti-coercion requirements and anti-tying requirements in the Code of Conduct. CC ID 16720 | Human Resources management | Preventive | |
Include classifications of ethics violations in the Code of Conduct. CC ID 14769 | Human Resources management | Preventive | |
Include definitions of ethics violations in the Code of Conduct. CC ID 14768 | Human Resources management | Preventive | |
Include exercising due professional care in the Code of Conduct. CC ID 14210 [Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. Table 2 Column 2 Row 3 Bullet 2 {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Human Resources management | Preventive | |
Include health and safety provisions in the Code of Conduct. CC ID 16206 | Human Resources management | Preventive | |
Include key policies in the Code of Conduct. CC ID 12890 | Human Resources management | Preventive | |
Include responsibilities to the public trust in the Code of Conduct. CC ID 14209 | Human Resources management | Preventive | |
Include the vision statement in the Code of Conduct. CC ID 12889 | Human Resources management | Preventive | |
Include the organization's mission in the Code of Conduct. CC ID 12875 | Human Resources management | Preventive | |
Include classifications of desired conduct in the Code of Conduct. CC ID 12851 | Human Resources management | Preventive | |
Include environmental responsibility criteria in the Code of Conduct. CC ID 16209 | Human Resources management | Preventive | |
Include social responsibility criteria in the Code of Conduct. CC ID 16210 | Human Resources management | Preventive | |
Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment. CC ID 04580 | Human Resources management | Preventive | |
Include labor rights criteria in the Code of Conduct. CC ID 16208 | Human Resources management | Preventive | |
Include the employee's legal responsibilities and rights in the Terms and Conditions of employment. CC ID 15701 | Human Resources management | Preventive | |
Include the legal intellectual property responsibilities in the Code of Conduct. CC ID 04898 | Human Resources management | Detective | |
Include definitions of desirable conduct in the Code of Conduct. CC ID 12846 | Human Resources management | Preventive | |
Include notification procedures for allegations of undesirable conduct in the Code of Conduct. CC ID 12855 | Human Resources management | Preventive | |
Include procedures to identify positive outcomes in the Code of Conduct. CC ID 12854 | Human Resources management | Preventive | |
Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. CC ID 06664 | Human Resources management | Preventive | |
Require all personnel to re-sign the Code of Conduct, as necessary. CC ID 06666 | Human Resources management | Preventive | |
Include information security responsibilities in performance reviews. CC ID 15697 | Human Resources management | Preventive | |
Analyze the documentation produced by staff during the performance review. CC ID 07207 | Human Resources management | Detective | |
Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b) {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2 Therefore, the governing body should: govern for organizational viability over time. § 6.11.3.1 ¶ 2 c)] | Operational management | Preventive | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Preventive | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Preventive | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 [Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving governance environment. § 4.3.2 ¶ 1 The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. § 6.3.3.1.2 ¶ 4 {individual} The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. § 6.3.3.1.2 ¶ 3 The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)] | Operational management | Preventive | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Preventive | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 [{refrain from holding accountable}{do not}{individual} No one should be held accountable for matters over which they have no authority or for which expectations have not been stated or agreed. § 4.2.2 ¶ 3 Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: demonstrating accountability for this performance and behaviour. § 4.1 ¶ 3 e)] | Operational management | Preventive | |
Include the scope in the compliance policy. CC ID 14812 | Operational management | Preventive | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Preventive | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Preventive | |
Include management commitment in the compliance policy. CC ID 14808 | Operational management | Preventive | |
Establish, implement, and maintain a governance policy. CC ID 15587 [The governing body should establish governance policies and ensure that these: § 6.3.3.1.2 ¶ 1 The governing body should ensure that the governance policies are effectively applied across the organization and that they achieve the governing body's intentions. § 6.3.3.1.2 ¶ 2 The governing body should ensure that the organizational risk framework, in respect to the management of risk: positions risk as a key consideration in the setting of governance policies (see 6.3); § 6.9.3.2 ¶ 2 c) The governing body should establish governance policies and ensure that these: are regularly reviewed, and updated as necessary, to ensure that they remain aligned with the organization's constituting documents, and the organization's changing context, and are based on relevant guidance and best practices such as standards and codes. § 6.3.3.1.2 ¶ 1 h) The governing body should establish governance policies and ensure that these: clarify the governing body's intentions and expectations with respect to the organizational purpose, organizational values and the organization's value generation objectives; § 6.3.3.1.2 ¶ 1 a) {internal context}The governing body should steer the organizational strategy by means of: governance policies, to ensure that they remain aligned with the organization's changing internal and external context and are current with common or best practice; § 6.3.3.2.2 ¶ 2 d) The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; § 6.8.3.4 ¶ 2 d)] | Operational management | Preventive | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 [The governing body should establish governance policies and ensure that these: address the governing body's own commitment to continual improvement; § 6.3.3.1.2 ¶ 1 g)] | Operational management | Preventive | |
Include roles and responsibilities in the governance policy. CC ID 15594 [The governing body should establish governance policies and ensure that these: provide guidance on what, rather than detailing how, responsibilities are to be fulfilled; § 6.3.3.1.2 ¶ 1 d) The governing body should establish governance policies and ensure that these: define the structures (e.g. committees) and roles involved in the governance of the organization, including their authority, responsibilities, performance and reporting requirements; § 6.3.3.1.2 ¶ 1 c) The governing body should establish governance policies and ensure that these: clarify delegations within the organization, including in relation to the strategy process; § 6.3.3.1.2 ¶ 1 b)] | Operational management | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b) {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2] | Operational management | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)] | Operational management | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Preventive | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the implementation of a risk-based information security management system (ISMS); § 6.8.3.4 ¶ 2 b)] | Operational management | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Preventive | |
Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
Include access control in the information security program. CC ID 12386 | Operational management | Preventive | |
Include operations management in the information security program. CC ID 12385 | Operational management | Preventive | |
Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
Include physical security in the information security program. CC ID 12382 | Operational management | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Preventive | |
Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 [New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: sensitive data are protected and secured. § 6.8.3.4 ¶ 1 Bullet 3] | Operational management | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Preventive | |
Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Preventive | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Preventive | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Preventive | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Preventive | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Preventive | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Preventive | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Preventive | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: meet compliance obligations; § 6.5.3.2 ¶ 1 d) Effective performance — The organization: remains in alignment with its policies and relevant stakeholder expectations. § 5 ¶ 2 a) 4)] | Operational management | Preventive | |
Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Preventive | |
Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Preventive | |
Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Preventive | |
Include program objectives in the asset management program. CC ID 14413 | Operational management | Preventive | |
Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Preventive | |
Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Preventive | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Preventive | |
Define confidentiality controls. CC ID 01908 | Operational management | Preventive | |
Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Preventive | |
Define integrity controls. CC ID 01909 | Operational management | Preventive | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Operational management | Preventive | |
Define availability controls. CC ID 01911 | Operational management | Preventive | |
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Operational management | Preventive | |
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Operational management | Preventive | |
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Operational management | Preventive | |
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Preventive | |
Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Preventive | |
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Operational management | Preventive | |
Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Preventive | |
Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Preventive | |
Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Preventive | |
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Preventive | |
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Preventive | |
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Preventive | |
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Preventive | |
Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Preventive | |
Include network equipment in the Information Technology inventory. CC ID 00693 | Operational management | Preventive | |
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Preventive | |
Include software in the Information Technology inventory. CC ID 00692 | Operational management | Preventive | |
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Preventive | |
Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Preventive | |
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Detective | |
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Operational management | Preventive | |
Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Preventive | |
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Preventive | |
Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Preventive | |
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Preventive | |
Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Preventive | |
Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Preventive | |
Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Preventive | |
Record the software version in the asset inventory. CC ID 12196 | Operational management | Preventive | |
Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Preventive | |
Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Preventive | |
Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Preventive | |
Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Preventive | |
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Preventive | |
Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Preventive | |
Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Preventive | |
Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Preventive | |
Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Preventive | |
Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Preventive | |
Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Preventive | |
Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Preventive | |
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Preventive | |
Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Preventive | |
Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Operational management | Preventive | |
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Preventive | |
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Preventive | |
Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Preventive | |
Record the owner for applicable assets in the asset inventory. CC ID 06640 | Operational management | Preventive | |
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Preventive | |
Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Preventive | |
Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Preventive | |
Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Preventive | |
Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Preventive | |
Establish, implement, and maintain software asset management procedures. CC ID 00895 | Operational management | Preventive | |
Establish, implement, and maintain software archives procedures. CC ID 00866 | Operational management | Preventive | |
Establish, implement, and maintain software distribution procedures. CC ID 00894 | Operational management | Preventive | |
Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Operational management | Preventive | |
Establish, implement, and maintain software license management procedures. CC ID 06639 | Operational management | Preventive | |
Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Preventive | |
Establish, implement, and maintain a system redeployment program. CC ID 06276 | Operational management | Preventive | |
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Operational management | Preventive | |
Redeploy systems to other organizational units, as necessary. CC ID 11452 | Operational management | Preventive | |
Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Preventive | |
Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Preventive | |
Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Preventive | |
Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Preventive | |
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Preventive | |
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: actively contribute to conserving and restoring these systems. § 6.11.3.1 ¶ 1 Bullet 2] | Operational management | Preventive | |
Establish and maintain maintenance reports. CC ID 11749 | Operational management | Preventive | |
Establish and maintain system inspection reports. CC ID 06346 | Operational management | Preventive | |
Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Preventive | |
Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Preventive | |
Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Preventive | |
Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Preventive | |
Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Preventive | |
Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Preventive | |
Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Preventive | |
Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Preventive | |
Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Operational management | Preventive | |
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Preventive | |
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Preventive | |
Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Operational management | Preventive | |
Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Preventive | |
Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Preventive | |
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Operational management | Preventive | |
Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Operational management | Preventive | |
Establish and maintain an unauthorized software list. CC ID 10601 | Operational management | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Preventive | |
Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Preventive | |
Update the incident response procedures using the lessons learned. CC ID 01233 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)] | Operational management | Preventive | |
Establish, implement, and maintain a performance management standard. CC ID 01615 [The governing body should oversee the organization's performance to ensure that it meets the governing body's intentions for, and expectations of, the organization, its ethical behaviour and its compliance obligations. § 6.4.1 ¶ 1 Ethical and effective leadership should be demonstrated in three areas: the performance of the organization as a whole; § 6.7.3.1 ¶ 4 b) The governing body should oversee the organization's performance to ensure that it meets the governing body's intentions for, and expectations of, the organization, its ethical behaviour and its compliance obligations. Table 1 Column 4 Row 5 Effective performance — The organization: performs as required; § 5 ¶ 2 a) 2)] | Operational management | Preventive | |
Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679 | Operational management | Preventive | |
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 | Operational management | Preventive | |
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 | Operational management | Preventive | |
Establish, implement, and maintain a cost management program. CC ID 13638 | Operational management | Preventive | |
Establish, implement, and maintain an information management program. CC ID 14315 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)] | Records management | Preventive | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Preventive | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Preventive | |
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain notice and take-down procedures. CC ID 09963 | Acquisition or sale of facilities, technology, and services | Preventive | |
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975 | Acquisition or sale of facilities, technology, and services | Preventive | |
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data access procedures. CC ID 00414 [The governing body should: ensure that all relevant stakeholders are able to access the reports and disclosures, as far as is reasonable, and are therefore suitably equipped with the information necessary to make informed assessments of the organization's past performance, current performance and performance over time. § 6.5.3.2 ¶ 2 Bullet 3] | Privacy protection for information and data | Preventive | |
Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Preventive | |
Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Preventive | |
Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Preventive | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Preventive | |
Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Preventive | |
Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Preventive | |
Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Preventive | |
Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Preventive | |
Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Preventive | |
Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Preventive | |
Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Preventive | |
Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Preventive | |
Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Preventive | |
Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Preventive | |
Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Preventive | |
Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Preventive | |
Provide the data subject with the data collector's name and contact information. CC ID 00024 | Privacy protection for information and data | Preventive | |
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Preventive | |
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{be within}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: are transparent but also within the limits of confidentiality; § 6.5.3.2 ¶ 1 f)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
Establish, implement, and maintain data handling procedures. CC ID 11756 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Preventive | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)] | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 | Leadership and high level objectives | Preventive | |
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Leadership and high level objectives | Preventive | |
Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Preventive | |
Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094 | Leadership and high level objectives | Preventive | |
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Monitoring and measurement | Detective | |
Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Preventive | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Preventive | |
Assign the Board of Directors to address audit findings. CC ID 12396 [Assurance processes that inform the governing body independently and accurately include: direct verifications by the governing body; § 6.4.3.3 ¶ 2 Bullet 1] | Audits and risk management | Corrective | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Detective | |
Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Preventive | |
Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Detective | |
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Detective | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Preventive | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Preventive | |
Define roles for information systems. CC ID 12454 | Technical security | Preventive | |
Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Preventive | |
Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources management | Preventive | |
Designate an alternate for each organizational leader. CC ID 12053 | Human Resources management | Preventive | |
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources management | Preventive | |
Establish and maintain board committees, as necessary. CC ID 14789 [The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)] | Human Resources management | Preventive | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Preventive | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Preventive | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: independence of thought and action; § 4.3.1 ¶ 1 Bullet 3] | Human Resources management | Preventive | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1 The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1 To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: oversee the organization's risk management activities. § 6.9.3.1 ¶ 2 c) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: § 6.9.3.4 ¶ 1] | Human Resources management | Preventive | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Corrective | |
Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Preventive | |
Define and assign risk committees, as necessary. CC ID 14795 | Human Resources management | Preventive | |
Define and assign audit committees, as necessary. CC ID 14788 | Human Resources management | Preventive | |
Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources management | Preventive | |
Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources management | Preventive | |
Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources management | Preventive | |
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources management | Preventive | |
Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources management | Preventive | |
Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources management | Preventive | |
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources management | Preventive | |
Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources management | Preventive | |
Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources management | Preventive | |
Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources management | Preventive | |
Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources management | Preventive | |
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Preventive | |
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Preventive | |
Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources management | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 ["Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters. The governing body should ensure the clarity of roles and responsibilities of all involved and hold accountable those to whom they delegate. § 4.2.3 ¶ 1] | Human Resources management | Preventive | |
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources management | Preventive | |
Document the use of external experts. CC ID 16263 | Human Resources management | Preventive | |
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; § 6.9.3.2 ¶ 2 a)] | Human Resources management | Preventive | |
Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Preventive | |
Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources management | Preventive | |
Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources management | Preventive | |
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Preventive | |
Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Preventive | |
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources management | Preventive | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Preventive | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Preventive | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Preventive | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Preventive | |
Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources management | Preventive | |
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 | Human Resources management | Preventive | |
Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources management | Preventive | |
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 [The governing body should steer the organizational strategy by means of: succession planning for the critical roles in the organization, including emergency succession arrangements; § 6.3.3.2.2 ¶ 2 f)] | Human Resources management | Preventive | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Detective | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Detective | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Preventive | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Preventive | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Detective | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Preventive | |
Establish and maintain security clearances. CC ID 01634 | Human Resources management | Preventive | |
Implement a staff rotation plan. CC ID 12772 | Human Resources management | Preventive | |
Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 [{be fair}{be responsible}{be transparent}The governing body should steer the organizational strategy by means of: the organization's approach to compensation, ensuring that compensation is, and remains, fair, responsible and transparent; § 6.3.3.2.2 ¶ 2 h)] | Human Resources management | Preventive | |
Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 [The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)] | Human Resources management | Preventive | |
Require regular vacations for personnel using restricted information or sensitive information. CC ID 06550 | Human Resources management | Preventive | |
Provide protective face masks for critical personnel, as necessary. CC ID 06803 | Human Resources management | Preventive | |
Vaccinate critical employees, as necessary. CC ID 06805 | Human Resources management | Preventive | |
Establish, implement, and maintain a travel program for all personnel. CC ID 10597 | Human Resources management | Preventive | |
Establish, implement, and maintain a process to identify any potential health hazards, environmental hazards, or safety hazards, that could affect personnel while traveling internationally. CC ID 06076 | Human Resources management | Preventive | |
Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 | Human Resources management | Preventive | |
Include the information security responsibilities of employees in their performance objectives. CC ID 15700 | Human Resources management | Preventive | |
Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783 | Human Resources management | Detective | |
Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799 | Human Resources management | Preventive | |
Establish, implement, and maintain an ethics program. CC ID 11496 [When defining the organizational values, the governing body should ensure that: it is clear what ethical behaviour is expected as a result of the organizational values; § 6.1.3.3 ¶ 1 b) Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b) The governing body should ensure ethical leadership across all areas. § 6.7.3.3 ¶ 1] | Human Resources management | Preventive | |
Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 | Human Resources management | Preventive | |
Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Preventive | |
Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Preventive | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 ["Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters. The governing body should ensure the clarity of roles and responsibilities of all involved and hold accountable those to whom they delegate. § 4.2.3 ¶ 1 Governance is exercised throughout the organization by governing groups, including: § 4.2.1 ¶ 1 Governance is exercised throughout the organization by governing groups, including: member stakeholders; § 4.2.1 ¶ 1 Bullet 1 Governance is exercised throughout the organization by governing groups, including: managers; § 4.2.1 ¶ 1 Bullet 3 Governance is exercised throughout the organization by governing groups, including: other internal functions of the organization. § 4.2.1 ¶ 1 Bullet 4 {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. Table 1 Column 4 Row 6 The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. § 6.3.3.1.2 ¶ 4 {individual} The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. § 6.3.3.1.2 ¶ 3 Accountable people can delegate to others. However, it should be made clear that those who delegate remain accountable for their delegate's use of that authority. § 4.2.2 ¶ 4 {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. § 6.5.1 ¶ 1 {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Operational management | Preventive | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Preventive | |
Assign an information owner to organizational assets, as necessary. CC ID 12729 | Operational management | Preventive | |
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Preventive | |
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Check the list of material topics for completeness. CC ID 15692 | Leadership and high level objectives | Preventive | |
Ensure the data dictionary is complete and accurate. CC ID 13527 | Leadership and high level objectives | Detective | |
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Detective | |
Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Detective | |
Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Corrective | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Detective | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Detective | |
Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Preventive | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
Audit information systems, as necessary. CC ID 13010 [{be responsible}{be ethical}The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; § 6.8.3.4 ¶ 2 c)] | Audits and risk management | Detective | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Detective | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Detective | |
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Detective | |
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Detective | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Preventive | |
Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Preventive | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
Analyze the incident response process following an incident response. CC ID 13179 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)] | Operational management | Detective | |
Assess consumer complaints and litigation. CC ID 16521 | Acquisition or sale of facilities, technology, and services | Preventive | |
Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Detective | |
Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Detective | |
Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Preventive | |
Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Detective | |
Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Preventive | |
Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Preventive | |
Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Preventive | |
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Preventive | |
Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Preventive | |
Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Preventive | |
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Preventive | |
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Preventive | |
Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Preventive | |
Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Preventive | |
Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Preventive | |
Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Preventive | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Audits and risk management | Detective | |
Log the performance of all remote maintenance. CC ID 13202 | Operational management | Preventive | |
Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Use system components only when third party support is available. CC ID 10644 | Operational management | Preventive | |
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Operational management | Preventive | |
Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Preventive | |
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Preventive | |
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Preventive | |
Restart systems on a periodic basis. CC ID 16498 | Operational management | Preventive | |
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Preventive | |
Follow the maintenance schedule. CC ID 11791 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
Analyze organizational objectives, functions, and activities. CC ID 00598 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: characteristics of the organization such as organizational type, structure, size, interdependencies, complexity, culture and its expected future progression; § 5 ¶ 5 Bullet 4 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b)] | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)] | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)] | Leadership and high level objectives | Preventive | |
Monitor regulatory trends to maintain compliance. CC ID 00604 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: short-, medium- and long-term trends including social responsibility and sustainability trends; § 6.9.3.2 ¶ 2 d) 2)] | Leadership and high level objectives | Detective | |
Monitor for new Information Security solutions. CC ID 07078 | Leadership and high level objectives | Detective | |
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 | Leadership and high level objectives | Detective | |
Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Detective | |
Monitor the usage and capacity of critical assets. CC ID 14825 [The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: measurement and tracking of the organization's use of, and impact on, these resources; § 6.2.3.1 ¶ 4 b)] | Monitoring and measurement | Detective | |
Monitor the usage and capacity of Information Technology assets. CC ID 00668 | Monitoring and measurement | Detective | |
Monitor all outbound traffic from all systems. CC ID 12970 | Monitoring and measurement | Preventive | |
Monitor systems for errors and faults. CC ID 04544 | Monitoring and measurement | Detective | |
Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 | Monitoring and measurement | Detective | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Preventive | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [{be responsible}{be ethical}The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; § 6.8.3.4 ¶ 2 c)] | Monitoring and measurement | Detective | |
Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitoring and measurement | Detective | |
Monitor systems for Denial of Service attacks. CC ID 01222 | Monitoring and measurement | Detective | |
Monitor systems for unauthorized data transfers. CC ID 12971 | Monitoring and measurement | Preventive | |
Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitoring and measurement | Detective | |
Detect unauthorized access to systems. CC ID 06798 | Monitoring and measurement | Detective | |
Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitoring and measurement | Detective | |
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitoring and measurement | Detective | |
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitoring and measurement | Detective | |
Monitor systems for unauthorized mobile code. CC ID 10034 | Monitoring and measurement | Preventive | |
Monitor the organization's exposure to threats, as necessary. CC ID 06494 | Monitoring and measurement | Preventive | |
Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Detective | |
Monitor for new vulnerabilities. CC ID 06843 | Monitoring and measurement | Preventive | |
Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitoring and measurement | Detective | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Detective | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Preventive | |
Monitor the performance of the governance, risk, and compliance capability. CC ID 12857 [To exercise effective oversight, the governing body should: assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. § 6.4.3.1 ¶ 1 d) The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a) The governing body should oversee organizational performance by assessing and taking corrective action based on: compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; § 6.4.3.2 ¶ 1 d) Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3 To ensure that the organization is acting in a socially responsible way, the governing body should: measure performance against objectives related to socially responsible behaviour; § 6.10.3 ¶ 1 g) The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)] | Monitoring and measurement | Preventive | |
Monitor the organizational culture. CC ID 12782 [The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: the organizational culture is responsive to relevant stakeholders' views; § 6.6.3 ¶ 3 b) The governing body should steer the organizational strategy by means of: the organizational culture, including the cultural tone the governing body sets through its ethos; § 6.3.3.2.2 ¶ 2 a)] | Monitoring and measurement | Preventive | |
Monitor for changes to the organizational culture that have a cumulative effect on organizational objectives. CC ID 12886 | Monitoring and measurement | Preventive | |
Monitor for changes to the organizational culture that have a cumulative effect on strategies. CC ID 12885 | Monitoring and measurement | Preventive | |
Monitor for changes to the organizational culture that have an indirect effect on strategies. CC ID 12884 | Monitoring and measurement | Preventive | |
Monitor for changes to the organizational culture that have an indirect effect on organizational objectives. CC ID 12883 | Monitoring and measurement | Preventive | |
Monitor for changes to the organizational culture that have a direct effect on strategies. CC ID 12882 | Monitoring and measurement | Preventive | |
Monitor for changes to the organizational culture that have a direct effect on organizational objectives. CC ID 12881 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [When defining the organizational values, the governing body should ensure that: corrective action can be taken. § 6.1.3.3 ¶ 1 e) To exercise effective oversight, the governing body should: take corrective action; § 6.4.3.1 ¶ 1 c) The governing body should oversee organizational performance by assessing and taking corrective action based on: § 6.4.3.2 ¶ 1 The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's identification of, and engagement with, relevant stakeholders (see 6.6); § 6.4.3.2 ¶ 1 e) The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i) For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Improvements should be applied as the result of feedback from reporting, disclosure and dialogue activities. § 6.5.3.2 ¶ 3 {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2 The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2 The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a) Recognize failures and mistakes and take appropriate action. Table 2 Column 2 Row 2 Bullet 5 The governing body should oversee organizational performance by assessing and taking corrective action based on: compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; § 6.4.3.2 ¶ 1 d) The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j) The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b) The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); § 6.4.3.2 ¶ 1 h) The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g) {be financially sound}The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's financial results and financial resources, ensuring that the organization remains financially sound; § 6.4.3.2 ¶ 1 f) {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Monitoring and measurement | Detective | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Detective | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Preventive | |
Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Preventive | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Preventive | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Preventive | |
Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Preventive | |
Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: integrity and transparency in fulfilling its obligations, and commitments; § 5 ¶ 2 c) 4) When defining the organizational values, the governing body should ensure that: the expected ethical behaviour can be assessed; § 6.1.3.3 ¶ 1 c)] | Human Resources management | Preventive | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Preventive | |
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Corrective | |
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Corrective | |
Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Preventive | |
Establish, implement, and maintain data accuracy controls. CC ID 00921 [To exercise effective oversight, the governing body should: assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. § 6.4.3.1 ¶ 1 d) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)] | Records management | Detective | |
Check communications for take-down requests. CC ID 09964 | Acquisition or sale of facilities, technology, and services | Preventive | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Maintain a 1 to 2 day supply of water and nonperishable food at the facility in case public utilities are interrupted. CC ID 06074 | Human Resources management | Preventive | |
Install duress alarms in susceptible public areas. CC ID 06075 | Human Resources management | Preventive | |
Conduct environmental surveys. CC ID 00690 | Operational management | Preventive | |
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Preventive | |
Control and monitor all maintenance tools. CC ID 01432 | Operational management | Detective | |
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Preventive | |
Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Preventive | |
Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Preventive | |
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Preventive | |
Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Preventive | |
Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Preventive | |
Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Preventive | |
Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Preventive | |
Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Preventive | |
Review and approve the material topics, as necessary. CC ID 15670 | Leadership and high level objectives | Preventive | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Preventive | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Preventive | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Preventive | |
Include resources in the analysis of the internal business environment. CC ID 12942 [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's need for, and access to, resources, including financial resources; § 6.3.3.1.1 ¶ 2 f)] | Leadership and high level objectives | Preventive | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Preventive | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Preventive | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Preventive | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: value generation model and organizational strategy; § 5 ¶ 5 Bullet 5] | Leadership and high level objectives | Preventive | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: organizational capabilities and opportunities. § 6.1.3.2 ¶ 1 e) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)] | Leadership and high level objectives | Preventive | |
Identify the external forces that may affect organizational objectives. CC ID 12960 [The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the relevant external systems on which the organization depends; § 6.11.3.3 ¶ 1 a)] | Leadership and high level objectives | Preventive | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Preventive | |
Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Preventive | |
Identify conditions that may affect organizational objectives. CC ID 12958 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: intended strategic outcomes; § 6.9.3.2 ¶ 2 d) 6)] | Leadership and high level objectives | Preventive | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Preventive | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 [{social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e) Therefore, the governing body should: ensure that the natural environmental, social and economic system relationships that underpin the organization's value generation model are identified and assessed; § 6.11.3.1 ¶ 2 b)] | Leadership and high level objectives | Preventive | |
Identify all interested personnel and affected parties. CC ID 12845 [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1] | Leadership and high level objectives | Detective | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 [When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. § 6.6.3 ¶ 2] | Leadership and high level objectives | Preventive | |
Determine progress toward the objectives of the strategic plan. CC ID 12944 [The governing body should: develop, and competently use, appropriate criteria for measurement that will indicate progress towards the fulfilment of the organizational purpose, within the set parameters, via the organizational strategy; § 4.3.2 ¶ 2 b) Ethical and effective leadership is demonstrated when the governing body: ensures that the organization is, and is seen to be, following the expectations as set. § 6.7.3.1 ¶ 3 Bullet 3 The outcomes, whether positive or negative, are determined by the expectations which have been set. Leadership determines whether these expectations are fulfilled. § 6.7.3.2 ¶ 2 The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the envisaged time scales of the strategic outcomes and of the organizational strategy; § 6.3.3.1.1 ¶ 2 b)] | Leadership and high level objectives | Preventive | |
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 [To ensure that the organization is acting in a socially responsible way, the governing body should: steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); § 6.10.3 ¶ 1 f) When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: functional requirements of the organizational governance framework. § 5 ¶ 5 Bullet 7 The governing body should ensure that: the organizational purpose is core to its governance practices, deliberations and decision-making; § 6.1.3.2 ¶ 2 Bullet 3 Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 Ensure that diversity and inclusion are understood and incorporated into all organizational decision-making by including factors such as gender, age, ethnicity, sexual orientation, education, perspectives, nationality, disability and beliefs. Table 2 Column 2 Row 5 Bullet 1 The governing body should oversee the organization's management of risk (see 6.4), ensuring that: decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; § 6.9.3.4 ¶ 1 g)] | Leadership and high level objectives | Preventive | |
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 [Ethical and effective leadership is demonstrated when the governing body: sets expectations for the organization using robust decision-making processes (see 6.8.3); § 6.7.3.1 ¶ 3 Bullet 1 Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. § 6.1.3.4 ¶ 3] | Leadership and high level objectives | Preventive | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 | Leadership and high level objectives | Preventive | |
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 | Leadership and high level objectives | Preventive | |
Take actions in accordance with the decision-making criteria. CC ID 12909 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h) A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: mapping an associated action plan. § 6.7.3.4 ¶ 2 e)] | Leadership and high level objectives | Preventive | |
Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Preventive | |
Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Preventive | |
Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Detective | |
Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Preventive | |
Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Preventive | |
Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Detective | |
Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Detective | |
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Corrective | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
Correct compliance violations. CC ID 13515 | Monitoring and measurement | Corrective | |
Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Corrective | |
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Preventive | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Preventive | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Detective | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Preventive | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Detective | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Detective | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Detective | |
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Preventive | |
Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
Scan devices for malicious code when an individual returns from locations deemed to be of risk. CC ID 10599 | Human Resources management | Detective | |
Include organizational values in the Code of Conduct. CC ID 12919 [Within the organization: The governing body should ensure that the organization conducts itself in a manner consistent with its organizational values. § 6.7.3.3 ¶ 1 b) Laws and rules provide the minimum set of organizational values against which behaviour is assessed. Other organizational values (see 6.1) are provided in collectively agreed documents such as a code of conduct, code of ethics or standards of behaviour. The following are examples of the leadership values to which governing bodies, and the individuals comprising them, are held: § 6.7.3.3 ¶ 2 Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. § 6.1.3.4 ¶ 3] | Human Resources management | Preventive | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Preventive | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)] | Operational management | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Detective | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: limits of the decision-making authority are applied based on the associated level of risk, in particular where automated decision-making is used; § 6.8.3.2.2 ¶ 1 b) Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. § 4.2.2 ¶ 5] | Operational management | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: set the tone for the organization with respect to how the management of risk is to be approached; § 6.9.3.1 ¶ 2 a) To ensure that the organization is acting in a socially responsible way, the governing body should: assess how actions of individual members of the governing body influence social responsibility. § 6.10.3 ¶ 1 i) In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2 Set the tone for the organization by behaving in the manner in which the organization and its personnel are expected to behave. Table 2 Column 2 Row 2 Bullet 4 The governing body should steer the organizational strategy by means of: the organizational culture, including the cultural tone the governing body sets through its ethos; § 6.3.3.2.2 ¶ 2 a)] | Operational management | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 [Ethical and effective leadership should be demonstrated in three areas: the functioning of the governing body; § 6.7.3.1 ¶ 4 a) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: pay attention to the dynamics of the governing body, including, for example, undue reliance on any one member for decision-making; § 6.8.3.2.1 ¶ 1 e) The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)] | Operational management | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 [The governing body should: assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; § 4.3.2 ¶ 2 d)] | Operational management | Preventive | |
Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 [Ethical and effective leadership is demonstrated when the governing body: behaves in a manner consistent with the defined organizational values; § 6.7.3.1 ¶ 3 Bullet 2 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a) Within the governing body: The members of the governing body should demonstrate that they are behaving in a manner consistent with the organizational values. § 6.7.3.3 ¶ 1 a) The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a)] | Operational management | Detective | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; § 6.5.3.2 ¶ 1 b) 2) When defining the organizational values, the governing body should ensure that: the governing body itself understands the consequences of unethical behaviour including bribery, fraud and corruption; § 6.1.3.3 ¶ 1 d) {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Operational management | Corrective | |
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Preventive | |
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Preventive | |
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Preventive | |
Establish, implement, and maintain data completeness controls. CC ID 11649 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)] | Records management | Preventive | |
Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Preventive | |
Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Preventive | |
Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Preventive | |
Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Detective | |
Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
Include source code in the asset inventory. CC ID 14858 | Operational management | Preventive | |
Compare each record's data input to its final form. CC ID 11813 | Records management | Detective | |
Establish and maintain access controls for all records. CC ID 00371 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)] | Records management | Preventive | |
Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Preventive | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)] | Operational and Systems Continuity | Detective | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Operational and Systems Continuity | Preventive | |
Restore systems and environments to be operational. CC ID 13476 [{environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Operational and Systems Continuity | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Preventive | |
Include an issue tracking system in the Quality Management program. CC ID 06824 | Leadership and high level objectives | Preventive | |
Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Preventive | |
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Preventive | |
Review each system's operational readiness. CC ID 06275 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Detective | |
Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Preventive | |
Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Preventive | |
Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Preventive | |
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Preventive | |
Control access rights to organizational assets. CC ID 00004 [{procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)] | Technical security | Preventive | |
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Preventive | |
Define access needs for each system component of an information system. CC ID 12456 | Technical security | Preventive | |
Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Preventive | |
Establish access rights based on least privilege. CC ID 01411 | Technical security | Preventive | |
Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Preventive | |
Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Preventive | |
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Preventive | |
Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Preventive | |
Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Preventive | |
Include all system components in the access control system. CC ID 11939 | Technical security | Preventive | |
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Preventive | |
Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Preventive | |
Enforce access restrictions for change control. CC ID 01428 | Technical security | Preventive | |
Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Preventive | |
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Preventive | |
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Preventive | |
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Preventive | |
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 [{be different} The degree of separation of duties between the governing body and managers varies according to organizational needs and circumstances. In certain circumstances, such as an executive member of the governing body, an individual can be required to fulfil both governance and management responsibilities. In such cases, it is important for that person to be able to distinguish when they are fulfilling the different responsibilities and act and behave accordingly. § 4.2.3 ¶ 2] | Human Resources management | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Preventive | |
Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Preventive | |
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Detective | |
Prevent users from disabling required software. CC ID 16417 | Operational management | Preventive | |
Control remote maintenance according to the system's asset classification. CC ID 01433 | Operational management | Preventive | |
Approve all remote maintenance sessions. CC ID 10615 | Operational management | Preventive | |
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Preventive | |
Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Preventive | |
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Preventive | |
Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Preventive | |
Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Preventive | |
Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Leadership and high level objectives | Detective | |
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Preventive | |
Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Preventive | |
Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Preventive | |
Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Preventive | |
Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Monitoring and measurement | Preventive | |
Test compliance controls for proper functionality. CC ID 00660 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a system security plan. CC ID 01922 [{environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Monitoring and measurement | Preventive | |
Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Detective | |
Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Detective | |
Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Detective | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Preventive | |
Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Monitoring and measurement | Detective | |
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3 Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4] | Audits and risk management | Detective | |
Review the external audit assertion for accuracy. CC ID 06977 | Audits and risk management | Detective | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 | Audits and risk management | Detective | |
Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Detective | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Detective | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Detective | |
Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Detective | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Detective | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Audits and risk management | Preventive | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Preventive | |
Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Detective | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Detective | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Detective | |
Submit an audit report that is complete. CC ID 01145 | Audits and risk management | Detective | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; § 6.4.3.3 ¶ 1 b) To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance providers have the necessary competency and capacity and that their efforts are appropriately focused; § 6.4.3.3 ¶ 1 c) To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: carefully scrutinize the ability of any external assurance providers, to provide independent assurance (see NOTE 1); § 6.4.3.3 ¶ 1 e) Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. § 6.4.3.3 ¶ 3] | Audits and risk management | Detective | |
Establish, implement, and maintain the audit plan. CC ID 01156 | Audits and risk management | Detective | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d) {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Audits and risk management | Preventive | |
Determine the effectiveness of risk control measures. CC ID 06601 | Audits and risk management | Detective | |
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Detective | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: competence (relevant knowledge and understanding, skills and experience); § 4.3.1 ¶ 1 Bullet 1 The governing body should: ensure it has the right combination of knowledge, skills and experience to understand the operations of the organization and the markets in which it operates; § 4.3.2 ¶ 2 a) The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: § 4.3.1 ¶ 1 {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2] | Human Resources management | Detective | |
Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
Assign and staff all roles appropriately. CC ID 00784 | Human Resources management | Detective | |
Implement segregation of duties in roles and responsibilities. CC ID 00774 | Human Resources management | Detective | |
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Operational management | Detective | |
Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Detective | |
Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Operational management | Detective | |
Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Operational management | Detective | |
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Communicate | |
Correct errors and deficiencies in a timely manner. CC ID 13501 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)] | Leadership and high level objectives | Business Processes | |
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Leadership and high level objectives | Business Processes | |
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Leadership and high level objectives | Establish/Maintain Documentation | |
Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 | Monitoring and measurement | Communicate | |
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Process or Activity | |
Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Investigate | |
Correct compliance violations. CC ID 13515 | Monitoring and measurement | Process or Activity | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: consequences, such as sanctions, for the non-fulfilment of a responsibility or non-adherence to established parameters are enforceable. § 4.2.2 ¶ 2 e)] | Monitoring and measurement | Behavior | |
Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Process or Activity | |
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: its assessment of the governance outcomes achieved. § 5 ¶ 7 Bullet 2 Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3 Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, risk management and compliance management as independent control functions; § 6.4.3.3 ¶ 2 Bullet 2] | Monitoring and measurement | Actionable Reports or Measurements | |
Assign the Board of Directors to address audit findings. CC ID 12396 [Assurance processes that inform the governing body independently and accurately include: direct verifications by the governing body; § 6.4.3.3 ¶ 2 Bullet 1] | Audits and risk management | Human Resources Management | |
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Establish/Maintain Documentation | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Audits and Risk Management | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Establish/Maintain Documentation | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Business Processes | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Establish/Maintain Documentation | |
Implement a corrective action plan in response to the audit report. CC ID 06777 | Audits and risk management | Establish/Maintain Documentation | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Actionable Reports or Measurements | |
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Acquisition/Sale of Assets or Services | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Audits and risk management | Establish/Maintain Documentation | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b) The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1 The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a) The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)] | Audits and risk management | Establish/Maintain Documentation | |
Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Establish/Maintain Documentation | |
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
Restore systems and environments to be operational. CC ID 13476 [{environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Operational and Systems Continuity | Systems Continuity | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Human Resources Management | |
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [{be ethical}{be effective} Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. § 6.7.3.4 ¶ 3 {be ethical}{be effective} Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. § 6.7.3.4 ¶ 3] | Human Resources management | Behavior | |
Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Business Processes | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)] | Operational management | Actionable Reports or Measurements | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; § 6.5.3.2 ¶ 1 b) 2) When defining the organizational values, the governing body should ensure that: the governing body itself understands the consequences of unethical behaviour including bribery, fraud and corruption; § 6.1.3.3 ¶ 1 d) {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Operational management | Process or Activity | |
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Monitor and Evaluate Occurrences | |
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Monitor and Evaluate Occurrences | |
Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Physical and Environmental Protection | |
Process product return requests. CC ID 11598 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Refrain from returning products absent a return request authorization. CC ID 11599 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Process or Activity | |
Identify all interested personnel and affected parties. CC ID 12845 [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1] | Leadership and high level objectives | Process or Activity | |
Approve the data classification scheme. CC ID 13858 | Leadership and high level objectives | Establish/Maintain Documentation | |
Ensure the data dictionary is complete and accurate. CC ID 13527 | Leadership and high level objectives | Investigate | |
Monitor regulatory trends to maintain compliance. CC ID 00604 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: short-, medium- and long-term trends including social responsibility and sustainability trends; § 6.9.3.2 ¶ 2 d) 2)] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Monitor for new Information Security solutions. CC ID 07078 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Leadership and high level objectives | Technical Security | |
Enforce a continuous Quality Control system. CC ID 01005 | Leadership and high level objectives | Business Processes | |
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Leadership and high level objectives | Testing | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Business Processes | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Business Processes | |
Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain a compliance oversight committee. CC ID 00765 [The governing body should direct and oversee the organization to ensure accountability is practised throughout (see 6.4). § 6.5.3.3 ¶ 2 {be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2] | Leadership and high level objectives | Establish Roles | |
Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 | Leadership and high level objectives | Establish/Maintain Documentation | |
Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 | Leadership and high level objectives | Establish/Maintain Documentation | |
Identify and document the events that initiate the decision management strategy. CC ID 06914 [A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: recognizing and identifying the dilemma; § 6.7.3.4 ¶ 2 a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Investigate | |
Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Business Processes | |
Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Process or Activity | |
Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Testing | |
Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Process or Activity | |
Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Process or Activity | |
Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Investigate | |
Monitor the usage and capacity of critical assets. CC ID 14825 [The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: measurement and tracking of the organization's use of, and impact on, these resources; § 6.2.3.1 ¶ 4 b)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor the usage and capacity of Information Technology assets. CC ID 00668 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 | Monitoring and measurement | Behavior | |
Monitor systems for errors and faults. CC ID 04544 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [{be responsible}{be ethical}The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; § 6.8.3.4 ¶ 2 c)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor systems for Denial of Service attacks. CC ID 01222 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Monitoring and measurement | Human Resources Management | |
Detect unauthorized access to systems. CC ID 06798 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Test compliance controls for proper functionality. CC ID 00660 | Monitoring and measurement | Testing | |
Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Testing | |
Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Testing | |
Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Testing | |
Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Monitoring and measurement | Testing | |
Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Actionable Reports or Measurements | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Business Processes | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Investigate | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Investigate | |
Report on the policies and controls that have been implemented by management. CC ID 01670 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Log Management | |
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Log Management | |
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Log Management | |
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Technical Security | |
Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Actionable Reports or Measurements | |
Monitor for changes to the organizational culture that have a direct effect on organizational objectives. CC ID 12881 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [When defining the organizational values, the governing body should ensure that: corrective action can be taken. § 6.1.3.3 ¶ 1 e) To exercise effective oversight, the governing body should: take corrective action; § 6.4.3.1 ¶ 1 c) The governing body should oversee organizational performance by assessing and taking corrective action based on: § 6.4.3.2 ¶ 1 The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's identification of, and engagement with, relevant stakeholders (see 6.6); § 6.4.3.2 ¶ 1 e) The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i) For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Improvements should be applied as the result of feedback from reporting, disclosure and dialogue activities. § 6.5.3.2 ¶ 3 {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2 The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2 The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a) Recognize failures and mistakes and take appropriate action. Table 2 Column 2 Row 2 Bullet 5 The governing body should oversee organizational performance by assessing and taking corrective action based on: compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; § 6.4.3.2 ¶ 1 d) The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j) The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b) The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); § 6.4.3.2 ¶ 1 h) The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g) {be financially sound}The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's financial results and financial resources, ensuring that the organization remains financially sound; § 6.4.3.2 ¶ 1 f) {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3 Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4] | Audits and risk management | Testing | |
Review the external audit assertion for accuracy. CC ID 06977 | Audits and risk management | Testing | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 | Audits and risk management | Testing | |
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and risk management | Audits and Risk Management | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Audits and Risk Management | |
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Establish/Maintain Documentation | |
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Audits and Risk Management | |
Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Audits and Risk Management | |
Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Audits and Risk Management | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
Audit information systems, as necessary. CC ID 13010 [{be responsible}{be ethical}The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; § 6.8.3.4 ¶ 2 c)] | Audits and risk management | Investigate | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Testing | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Testing | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Testing | |
Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Testing | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Audits and Risk Management | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Audits and Risk Management | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Testing | |
Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Testing | |
Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Behavior | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Audits and Risk Management | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Testing | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Testing | |
Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Audits and Risk Management | |
Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Investigate | |
Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Establish/Maintain Documentation | |
Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Human Resources Management | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Audits and Risk Management | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Audits and Risk Management | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Establish/Maintain Documentation | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Audits and Risk Management | |
Review past audit reports. CC ID 01155 | Audits and risk management | Establish/Maintain Documentation | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Establish/Maintain Documentation | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Establish/Maintain Documentation | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Investigate | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Process or Activity | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Audits and risk management | Log Management | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Establish/Maintain Documentation | |
Submit an audit report that is complete. CC ID 01145 | Audits and risk management | Testing | |
Review management's response to issues raised in past audit reports. CC ID 01149 | Audits and risk management | Audits and Risk Management | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; § 6.4.3.3 ¶ 1 b) To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance providers have the necessary competency and capacity and that their efforts are appropriately focused; § 6.4.3.3 ¶ 1 c) To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: carefully scrutinize the ability of any external assurance providers, to provide independent assurance (see NOTE 1); § 6.4.3.3 ¶ 1 e) Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. § 6.4.3.3 ¶ 3] | Audits and risk management | Testing | |
Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Human Resources Management | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain the audit plan. CC ID 01156 | Audits and risk management | Testing | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Business Processes | |
Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Audits and Risk Management | |
Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Audits and Risk Management | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Audits and Risk Management | |
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Human Resources Management | |
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Investigate | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Establish/Maintain Documentation | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Establish/Maintain Documentation | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Investigate | |
Conduct a Business Impact Analysis, as necessary. CC ID 01147 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [{be dependent}{environmental system}{social system}The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: directly dependent; § 6.11.3.4 ¶ 1 Bullet 1 {be independent}{environmental system}{social system}The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: not directly dependent but whose ability to be sustained will be affected by the governing body's decisions. § 6.11.3.4 ¶ 1 Bullet 2] | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b) {be responsible}{be accurate}The governing body should ensure that the organizational risk framework, in respect to the management of risk: mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). § 6.9.3.2 ¶ 2 h) {positive impact}The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the organization's positive and negative impacts on these systems. § 6.11.3.3 ¶ 1 c) {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d) {social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's impact on stakeholders; § 6.3.3.1.1 ¶ 2 h) Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1] | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Audits and Risk Management | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Actionable Reports or Measurements | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Audits and Risk Management | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Establish/Maintain Documentation | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Process or Activity | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Process or Activity | |
Determine the effectiveness of risk control measures. CC ID 06601 | Audits and risk management | Testing | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Audits and Risk Management | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Audits and Risk Management | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Process or Activity | |
Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Configuration | |
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Testing | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)] | Operational and Systems Continuity | Systems Continuity | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: competence (relevant knowledge and understanding, skills and experience); § 4.3.1 ¶ 1 Bullet 1 The governing body should: ensure it has the right combination of knowledge, skills and experience to understand the operations of the organization and the markets in which it operates; § 4.3.2 ¶ 2 a) The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: § 4.3.1 ¶ 1 {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2] | Human Resources management | Testing | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Human Resources Management | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Human Resources Management | |
Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Establish/Maintain Documentation | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Human Resources Management | |
Document the security clearance procedure results. CC ID 01635 | Human Resources management | Establish/Maintain Documentation | |
Document and communicate role descriptions to all applicable personnel. CC ID 00776 | Human Resources management | Establish Roles | |
Assign and staff all roles appropriately. CC ID 00784 | Human Resources management | Testing | |
Implement segregation of duties in roles and responsibilities. CC ID 00774 | Human Resources management | Testing | |
Evaluate the staffing requirements regularly. CC ID 00775 | Human Resources management | Business Processes | |
Scan devices for malicious code when an individual returns from locations deemed to be of risk. CC ID 10599 | Human Resources management | Process or Activity | |
Include the legal intellectual property responsibilities in the Code of Conduct. CC ID 04898 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain performance reviews. CC ID 14777 [The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b) The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)] | Human Resources management | Business Processes | |
Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783 | Human Resources management | Human Resources Management | |
Conduct staff performance reviews, as necessary. CC ID 07205 [{individual}The governing body should steer the organizational strategy by means of: monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; § 6.3.3.2.2 ¶ 2 g)] | Human Resources management | Business Processes | |
Analyze the documentation produced by staff during the performance review. CC ID 07207 | Human Resources management | Establish/Maintain Documentation | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Business Processes | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Establish/Maintain Documentation | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Process or Activity | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Process or Activity | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 [Ethical and effective leadership is demonstrated when the governing body: behaves in a manner consistent with the defined organizational values; § 6.7.3.1 ¶ 3 Bullet 2 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a) Within the governing body: The members of the governing body should demonstrate that they are behaving in a manner consistent with the organizational values. § 6.7.3.3 ¶ 1 a) The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a)] | Operational management | Process or Activity | |
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Establish/Maintain Documentation | |
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Technical Security | |
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Operational management | Testing | |
Control and monitor all maintenance tools. CC ID 01432 | Operational management | Physical and Environmental Protection | |
Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Testing | |
Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Operational management | Testing | |
Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Operational management | Testing | |
Analyze the incident response process following an incident response. CC ID 13179 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)] | Operational management | Investigate | |
Use proactive performance management. CC ID 00937 | Operational management | Business Processes | |
Utilize resource availability management controls. CC ID 00940 | Operational management | Business Processes | |
Identify and allocate departmental costs. CC ID 00871 | Operational management | Business Processes | |
Justify the system's cost and benefit. CC ID 00874 [Issues of particular concern to a governing body are where the organization benefits but where the costs for that benefit are incurred by another party. These are sometimes referred to as "negative externalities" or "unpriced impacts" and can be both financial or non-financial in nature. In such cases, the governing body should account for these benefits. § 6.10.3 ¶ 2] | Operational management | Business Processes | |
Ensure data sets have the appropriate characteristics. CC ID 15000 | Records management | Data and Information Management | |
Ensure data sets are complete, are accurate, and are relevant. CC ID 14999 | Records management | Data and Information Management | |
Establish, implement, and maintain data accuracy controls. CC ID 00921 [To exercise effective oversight, the governing body should: assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. § 6.4.3.1 ¶ 1 d) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)] | Records management | Monitor and Evaluate Occurrences | |
Compare each record's data input to its final form. CC ID 11813 | Records management | Records Management | |
Include complete information in the take-down request. CC ID 09965 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include the complainant's contact information in the take-down request. CC ID 09966 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Behavior | |
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Behavior | |
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Privacy protection for information and data | Business Processes | |
Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Investigate | |
Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Investigate | |
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Process or Activity | |
Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)] | Third Party and supply chain oversight | Establish/Maintain Documentation |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Establish, implement, and maintain a reporting methodology program. CC ID 02072 [The governing body should: set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; § 4.3.2 ¶ 2 c) The governing body should: determine the most appropriate reporting methodologies for the organization, given the expectations of its relevant stakeholders; § 6.5.3.2 ¶ 2 Bullet 1 The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: reporting is coherent so that stakeholders can effectively assess the organization's governance arrangements (see 6.5.3). § 6.6.3 ¶ 3 f) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: report on historic actions and outcomes, as well as future intentions. § 6.5.3.2 ¶ 1 h) {be complete}{be understandable}{be responsive}{be accurate}{be timely}The governing body should: ensure that reported information and disclosed information are material, complete, understandable, responsive, accurate, balanced and timely; § 6.5.3.2 ¶ 2 Bullet 2] | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain communication protocols. CC ID 12245 [The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: an open and transparent communication culture within the organization is created and maintained to help bridge the gap between diverse stakeholder groups and varying perspectives based on, for example, gender, age, belief systems or cognitive abilities; § 6.6.3 ¶ 3 e) The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5] | Leadership and high level objectives | Establish/Maintain Documentation | |
Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [{be within}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: are transparent but also within the limits of confidentiality; § 6.5.3.2 ¶ 1 f) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Communicate | |
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 [When defining the organizational values, the governing body should ensure that: all relevant stakeholders are engaged; § 6.1.3.3 ¶ 1 a) For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Improvements should be applied as the result of feedback from reporting, disclosure and dialogue activities. § 6.5.3.2 ¶ 3 The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. § 6.6.1 ¶ 1 The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 {stakeholder engagement process}To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); § 6.10.3 ¶ 1 a) To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when establishing and reviewing governance policies; § 6.10.3 ¶ 1 e) The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. Table 1 Column 4 Row 7 {be responsible}{be accurate}The governing body should ensure that the organizational risk framework, in respect to the management of risk: mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). § 6.9.3.2 ¶ 2 h) The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: relevant stakeholders are engaged in achieving the organizational purpose via its organizational strategy; § 6.6.3 ¶ 3 a) To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; § 6.10.3 ¶ 1 d) {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Process or Activity | |
Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Process or Activity | |
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Communicate | |
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Communicate | |
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Process or Activity | |
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Communicate | |
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Communicate | |
Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Process or Activity | |
Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Process or Activity | |
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Leadership and high level objectives | Business Processes | |
Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Process or Activity | |
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 [{be appropriate}When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: outputs, outcomes and the processes to achieve the responsibilities are periodically reported and presented with evidence that actions taken are reasonable and appropriate; § 4.2.2 ¶ 2 d) The governing body should: report on the process and outcomes of assessments to relevant stakeholders (see 6.5.3). § 4.3.2 ¶ 2 e) Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: accountability through accurate and timely reporting on its performance and stewardship of resources; § 5 ¶ 2 c) 2) Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: accountability through accurate and timely reporting on its performance and stewardship of resources; § 5 ¶ 2 c) 2) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: § 6.5.3.2 ¶ 1 c) The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Leadership and high level objectives | Actionable Reports or Measurements | |
Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Communicate | |
Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Process or Activity | |
Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Process or Activity | |
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an internal reporting program. CC ID 12409 [{individual}To exercise effective oversight, the governing body should: require those to whom they have delegated to provide timely and accurate reports on all material aspects of the management of the organization; § 6.4.3.1 ¶ 1 a) The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Leadership and high level objectives | Business Processes | |
Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Business Processes | |
Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; § 6.5.3.2 ¶ 1 b) 2) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the way in which the organization's performance was achieved and whether this performance was reasonable given the organization's changing context governance policies, including organizational values; § 6.5.3.2 ¶ 1 c) 2) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g) To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)] | Leadership and high level objectives | Communicate | |
Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Communicate | |
Provide identifying information about the organization to the responsible party. CC ID 16715 | Leadership and high level objectives | Communicate | |
Identify the material topics required to be reported on. CC ID 15654 | Leadership and high level objectives | Business Processes | |
Check the list of material topics for completeness. CC ID 15692 | Leadership and high level objectives | Investigate | |
Prioritize material topics used in reporting. CC ID 15678 | Leadership and high level objectives | Communicate | |
Review and approve the material topics, as necessary. CC ID 15670 | Leadership and high level objectives | Process or Activity | |
Define the thresholds for reporting in the external reporting program. CC ID 15679 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include time requirements in the external reporting program. CC ID 16566 | Leadership and high level objectives | Communicate | |
Include information about the organizational culture in the external reporting program. CC ID 15610 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the organizational culture, including the organizational behaviour and perceptions of the organization's behaviour provided by relevant stakeholders; § 6.5.3.2 ¶ 1 c) 5)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include reporting to governing bodies in the external reporting plan. CC ID 12923 | Leadership and high level objectives | Communicate | |
Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Communicate | |
Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Establish/Maintain Documentation | |
Analyze organizational objectives, functions, and activities. CC ID 00598 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: characteristics of the organization such as organizational type, structure, size, interdependencies, complexity, culture and its expected future progression; § 5 ¶ 5 Bullet 4 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b)] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Leadership and high level objectives | Establish/Maintain Documentation | |
Analyze the business environment in which the organization operates. CC ID 12798 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: § 5 ¶ 5 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; § 6.1.3.2 ¶ 1 a) Take steps to become appropriately informed of all aspects of the organization and the context within which it operates (such as legal, natural environment, social, economic, technical and personnel). Table 2 Column 2 Row 3 Bullet 1] | Leadership and high level objectives | Business Processes | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Process or Activity | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Process or Activity | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Process or Activity | |
Include resources in the analysis of the internal business environment. CC ID 12942 [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's need for, and access to, resources, including financial resources; § 6.3.3.1.1 ¶ 2 f)] | Leadership and high level objectives | Process or Activity | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Process or Activity | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Process or Activity | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Process or Activity | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: value generation model and organizational strategy; § 5 ¶ 5 Bullet 5] | Leadership and high level objectives | Process or Activity | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: organizational capabilities and opportunities. § 6.1.3.2 ¶ 1 e) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)] | Leadership and high level objectives | Process or Activity | |
Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Business Processes | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Communicate | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Analyze the external environment in which the organization operates. CC ID 12799 [Responsible stewardship — The organization: considers the global context; § 5 ¶ 2 b) 3) {social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e)] | Leadership and high level objectives | Business Processes | |
Identify the external forces that may affect organizational objectives. CC ID 12960 [The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the relevant external systems on which the organization depends; § 6.11.3.3 ¶ 1 a)] | Leadership and high level objectives | Process or Activity | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 [While not defined as stakeholders, the natural environment and society as a whole should also be considered by the governing body in its decision-making because they affect or will be affected by the organization's activities. § 4.2.5 ¶ 2 {legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Business Processes | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 [{legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Business Processes | |
Include society in the analysis of the external environment. CC ID 12963 [While not defined as stakeholders, the natural environment and society as a whole should also be considered by the governing body in its decision-making because they affect or will be affected by the organization's activities. § 4.2.5 ¶ 2 {legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Business Processes | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Business Processes | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Business Processes | |
Include industry forces in the analysis of the external environment. CC ID 12904 [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)] | Leadership and high level objectives | Business Processes | |
Include threats in the analysis of the external environment. CC ID 12898 [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: important issues including global threats that evolve over time (e.g. climate change); § 6.1.3.2 ¶ 1 c)] | Leadership and high level objectives | Business Processes | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Business Processes | |
Include legal requirements in the analysis of the external environment. CC ID 12896 | Leadership and high level objectives | Business Processes | |
Include technology in the analysis of the external environment. CC ID 12837 [{social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Business Processes | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 [{legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Business Processes | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 [Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to follow, including the parameters within which the organization is to do so. These expectations should be set mindfully and intentionally, considering the context within which the organization operates. § 6.7.3.1 ¶ 1 {internal context} When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: § 6.3.3.1.1 ¶ 2 {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain organizational objectives. CC ID 09959 [Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to follow, including the parameters within which the organization is to do so. These expectations should be set mindfully and intentionally, considering the context within which the organization operates. § 6.7.3.1 ¶ 1 Within the organization: The organization should fulfil the expectations set by the governing body. § 6.7.3.2 ¶ 1 b) {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1 The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. § 6.3.3.1.1 ¶ 1 Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Process or Activity | |
Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Process or Activity | |
Identify conditions that may affect organizational objectives. CC ID 12958 [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: intended strategic outcomes; § 6.9.3.2 ¶ 2 d) 6)] | Leadership and high level objectives | Process or Activity | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: commitments and obligations associated with organizational activities and value generation processes; § 5 ¶ 5 Bullet 6] | Leadership and high level objectives | Business Processes | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 [New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: valuable opportunities are leveraged; § 6.8.3.4 ¶ 1 Bullet 2 To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that issues and opportunities affecting stakeholder expectations are identified and articulated (see 6.9); § 6.10.3 ¶ 1 b) Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: organizational capabilities and opportunities. § 6.1.3.2 ¶ 1 e) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: potential opportunities for innovation. § 6.3.3.1.1 ¶ 2 k) Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: important issues including global threats that evolve over time (e.g. climate change); § 6.1.3.2 ¶ 1 c)] | Leadership and high level objectives | Business Processes | |
Prioritize organizational objectives. CC ID 09960 [{social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1] | Leadership and high level objectives | Business Processes | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a value generation model. CC ID 15591 [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: value generation model and organizational strategy; § 5 ¶ 5 Bullet 5 {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the value generation model; § 6.9.3.2 ¶ 2 d) 5) The governing body should ensure that an overarching value generation model is determined for the organization and is appropriately communicated. § 6.2.3.1 ¶ 1 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a) Therefore, the governing body should: ensure that interactions and dependencies within the organization's value generation model are articulated in an integrated manner; § 6.11.3.1 ¶ 2 a) {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3 The governing body should ensure that the organization's value generation model (see 6.2): describes how the organization's key structures, processes, relationships, information, decision-making, reporting and other aspects inter-relate and are used to generate value over time. § 6.11.3.2 ¶ 1 b)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 [The governing body should ensure that an overarching value generation model is determined for the organization and is appropriately communicated. § 6.2.3.1 ¶ 1 To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)] | Leadership and high level objectives | Communicate | |
Include value distribution in the value generation model. CC ID 15603 [{procedure}This value generation model should clarify: how the value generated is to be retained and distributed (sustain). § 6.2.3.1 ¶ 2 Bullet 4 {be viable} The governing body should ensure that value is retained and distributed in a manner that ensures that the organization is agile, viable over time and achieves its value generation objectives. § 6.2.3.5 ¶ 1 The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include value retention in the value generation model. CC ID 15600 [{procedure}This value generation model should clarify: how the value generated is to be retained and distributed (sustain). § 6.2.3.1 ¶ 2 Bullet 4 {be viable} The governing body should ensure that value is retained and distributed in a manner that ensures that the organization is agile, viable over time and achieves its value generation objectives. § 6.2.3.5 ¶ 1 The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include value generation procedures in the value generation model. CC ID 15599 [{procedure}This value generation model should clarify: how the organization should generate that value (create); § 6.2.3.1 ¶ 2 Bullet 2 The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) {procedure}This value generation model should clarify: how the generation of value will be assured (deliver); § 6.2.3.1 ¶ 2 Bullet 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain value generation objectives. CC ID 15583 [Effective performance — The organization: generates value for stakeholders; § 5 ¶ 2 a) 3) {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1 Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: determining the organization's approach to value generation; § 4.1 ¶ 3 b) {social context}{economic context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social, and economic context within which it operates. Table 1 Column 4 Row 3 {social context}{economic context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. § 6.2.1 ¶ 1 This value generation model should clarify: what value the organization is intending to generate (define); § 6.2.3.1 ¶ 2 Bullet 1 {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1 The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: § 6.2.3.4 ¶ 1 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the defined value generation objectives; § 6.3.3.1.1 ¶ 2 d) The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so that the generation of value in the present context is balanced with the innovation required to generate value in the future. § 6.3.3.2.2 ¶ 1 The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: assurance is obtained on the realization of the value generation objectives. § 6.2.3.4 ¶ 1 c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 [The governing body should ensure that the organization considers undertaking specific measures to contribute to the wellbeing of society. Philanthropy can have a positive impact on society. However, it should not be used by an organization as a substitute for integrating social responsibility into the organization (see ISO 26000:2010, 3.3.4). § 6.10.3 ¶ 3 The governing body should ensure that the organization considers undertaking specific measures to contribute to the wellbeing of society. Philanthropy can have a positive impact on society. However, it should not be used by an organization as a substitute for integrating social responsibility into the organization (see ISO 26000:2010, 3.3.4). § 6.10.3 ¶ 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 [{be dynamic}{be sensitive}The governing body should ensure that: the organizational purpose remains dynamic and sensitive to the changing context within which the organization operates. § 6.1.3.2 ¶ 2 Bullet 4 When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: organizational purpose and organizational values; § 5 ¶ 5 Bullet 1 {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the organizational purpose; § 6.9.3.2 ¶ 2 d) 3) {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the organizational values; § 6.9.3.2 ¶ 2 d) 4) Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: setting and committing to the organizational purpose and organizational values; § 4.1 ¶ 3 a) Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 Effective performance — The organization: is true to its purpose; § 5 ¶ 2 a) 1)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 [{member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1 To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the organizational purpose expresses the organization's approach to stakeholders; § 6.10.3 ¶ 1 c) The governing body should ensure that: the essence of the organizational purpose is documented in a summary statement to promote effective communication and to assess and determine organization-wide actions and success; § 6.1.3.2 ¶ 2 Bullet 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1 Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; § 6.1.3.2 ¶ 1 a) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a) The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b) The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1 The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 [The governing body should ensure that the organizational purpose and organizational values and their centrality are effectively communicated throughout the organization and are available to the organization's stakeholders. § 6.1.3.4 ¶ 2 The governing body should ensure that: the organizational purpose is available to all stakeholders and reflected in the constituting documents where possible; § 6.1.3.2 ¶ 2 Bullet 2 The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1 To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a) To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; § 6.10.3 ¶ 1 d)] | Leadership and high level objectives | Communicate | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 [To ensure that the organization is acting in a socially responsible way, the governing body should: report the organization's social responsibility objectives clearly and transparently so that stakeholders can understand these objectives, how they are being met and what performance is being achieved against them, as well as provide the necessary evidence to support such claims; § 6.10.3 ¶ 1 h)] | Leadership and high level objectives | Communicate | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the organization's performance in fulfilling the organizational purpose; § 6.5.3.2 ¶ 1 c) 1) To ensure that the organization is acting in a socially responsible way, the governing body should: report the organization's social responsibility objectives clearly and transparently so that stakeholders can understand these objectives, how they are being met and what performance is being achieved against them, as well as provide the necessary evidence to support such claims; § 6.10.3 ¶ 1 h) The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the integrated view of the relationships between the organization's value generation model and the systems on which this depends (and which the organization also affects through its value generation); § 6.11.3.4 ¶ 2 a) The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. § 6.1.3.4 ¶ 1 The governing body should ensure that the organization's value generation model (see 6.2): describes how the organization's key structures, processes, relationships, information, decision-making, reporting and other aspects inter-relate and are used to generate value over time. § 6.11.3.2 ¶ 1 b) Be open about decisions and activities that affect the natural environment, society and the economy, and be willing to communicate these in a clear, accurate, timely, honest and complete manner. Table 2 Column 2 Row 4 Bullet 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Business Processes | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Process or Activity | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 [{social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e) Therefore, the governing body should: ensure that the natural environmental, social and economic system relationships that underpin the organization's value generation model are identified and assessed; § 6.11.3.1 ¶ 2 b)] | Leadership and high level objectives | Process or Activity | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 [When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. § 6.6.3 ¶ 2] | Leadership and high level objectives | Process or Activity | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [{member stakeholder}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: expectations of relevant stakeholders, particularly member and reference stakeholders; § 5 ¶ 5 Bullet 3 {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1 {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1 The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's identification of, and engagement with, relevant stakeholders (see 6.6); § 6.4.3.2 ¶ 1 e) The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. § 6.6.1 ¶ 1 The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: § 6.6.3 ¶ 3 The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that the wider organizational stakeholders are considered in the organization's use of information technology, particularly as it relates to human capital. § 6.8.3.4 ¶ 2 f) {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: stakeholders; § 6.9.3.2 ¶ 2 d) 1) {stakeholder engagement process}To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); § 6.10.3 ¶ 1 a) The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. Table 1 Column 4 Row 7 {member stakeholder}{reference stakeholder}Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: member, reference and other relevant stakeholder expectations; § 6.1.3.2 ¶ 1 d) The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: relevant stakeholder expectations (see 6.6 and 6.10); § 6.11.3.1 ¶ 1 Bullet 1 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: relevant stakeholder expectations; § 6.3.3.1.1 ¶ 2 j) Effective performance — The organization: remains in alignment with its policies and relevant stakeholder expectations. § 5 ¶ 2 a) 4) Responsible stewardship — The organization: engenders the trust and confidence of the communities within which it operates, and beyond. § 5 ¶ 2 b) 5) A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: understanding and articulating the opposing perspectives; § 6.7.3.4 ¶ 2 b) {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3] | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 [The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. § 6.8.1 ¶ 1 The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1 The recognition that data can be a strategic asset (or liability) means that the governing body should: acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; § 6.8.3.3 ¶ 1 c) The recognition that data can be a strategic asset (or liability) means that the governing body should: understand the use, and potential use, of data by the organization and others (e.g. suppliers, customers, regulators and other relevant stakeholders as well as competitors and those who can misuse the data); § 6.8.3.3 ¶ 1 b) The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: § 6.8.3.4 ¶ 2 The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. Table 1 Column 4 Row 9 {be responsible}{be ethical} The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. § 6.8.3.1 ¶ 2 The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); § 6.4.3.2 ¶ 1 h) The recognition that data can be a strategic asset (or liability) means that the governing body should: ensure that the organization establishes a formal approach to its management of data and, where necessary, assurance is provided (see 6.4.3); § 6.8.3.3 ¶ 1 a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data monitoring in the data governance and management practices. CC ID 15303 [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1 The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the adoption of a system to ensure the rights, obligations and constraints of data sets are understood and tracked, e.g. privacy and intellectual property right obligations; § 6.8.3.4 ¶ 2 a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the adoption of a system to ensure the rights, obligations and constraints of data sets are understood and tracked, e.g. privacy and intellectual property right obligations; § 6.8.3.4 ¶ 2 a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Data and Information Management | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Data and Information Management | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Data and Information Management | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Data and Information Management | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Data and Information Management | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Data and Information Management | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Data and Information Management | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Data and Information Management | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Data and Information Management | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Communicate | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Leadership and high level objectives | Establish/Maintain Documentation | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the data source in the data dictionary. CC ID 13519 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the nature of each element in the data dictionary. CC ID 13518 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 [Responsible stewardship — The organization: ensures its contribution to sustainable development; § 5 ¶ 2 b) 4) {be viable} The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. Table 1 Column 4 Row 12 {be viable} The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. § 6.11.1 ¶ 1 The aim of governance, and the duty of the governing body, is to create the conditions for, and to enable, the organization to perform over time, such that it fulfils its organizational purpose and generates value as intended. An organization can be said to be contributing to sustainable development, and to be sustainable, when it generates value in a manner that meets the needs of the present without compromising the ability of future generations to meet their own needs. By aligning an organization's governance with sustainable development, e.g. via the UN SDGs, governing bodies help create the conditions for an organization's future success. As a result, governing bodies should ensure that sustainable development and sustainability are fundamental considerations when governing and applying the governance principles in this document. § 4.2.4 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Leadership and high level objectives | Behavior | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Establish/Maintain Documentation | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Communicate | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Communicate | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 | Leadership and high level objectives | Establish/Maintain Documentation | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Communicate | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Communicate | |
Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
Include resource management in the quality management system. CC ID 15026 [The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: § 6.2.3.1 ¶ 4 The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: recognizes and optimizes the interaction between the required resources. § 6.2.3.3 ¶ 1 c) The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an issue tracking system in the Quality Management program. CC ID 06824 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1 The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: identification of all resources involved in the model; § 6.2.3.1 ¶ 4 a) The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the relevant external systems on which the organization depends; § 6.11.3.3 ¶ 1 a)] | Leadership and high level objectives | Business Processes | |
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)] | Leadership and high level objectives | Business Processes | |
Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [Ethical and effective leadership should be demonstrated in three areas: the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. § 6.7.3.1 ¶ 4 c) {human right}The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: human and labour rights in all countries of operation are respected; § 6.6.3 ¶ 3 d) Within the organization's external context: Where the organization has set contextual expectations, such as commitments to stakeholders and the natural environment, the organization should fulfil these expectations as set. § 6.7.3.2 ¶ 1 c) {external system}The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the inter-relationships between the organization and these systems; § 6.11.3.3 ¶ 1 b)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 [Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: on the way it has implemented the key aspects of practices in this document and any other practices used to apply the principles; § 5 ¶ 7 Bullet 1] | Leadership and high level objectives | Communicate | |
Approve all compliance documents. CC ID 06286 [{individual}The governing body should engage with strategic planning by: reviewing, assessing and approving the plans developed by those to whom they have delegated; § 6.3.3.2.1 ¶ 1 c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the Authority Document list with external requirements. CC ID 06288 [The governing body should ensure that: the organizational purpose is available to all stakeholders and reflected in the constituting documents where possible; § 6.1.3.2 ¶ 2 Bullet 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Leadership and high level objectives | Establish Roles | |
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Leadership and high level objectives | Establish/Maintain Documentation | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Business Processes | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Establish Roles | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Establish Roles | |
Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 | Leadership and high level objectives | Establish Roles | |
Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 | Leadership and high level objectives | Establish Roles | |
Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 | Leadership and high level objectives | Establish Roles | |
Involve the Board of Directors or senior management in Information Governance. CC ID 00609 | Leadership and high level objectives | Establish Roles | |
Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 | Leadership and high level objectives | Human Resources Management | |
Address Information Security during the business planning processes. CC ID 06495 | Leadership and high level objectives | Data and Information Management | |
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 | Leadership and high level objectives | Establish Roles | |
Establish, implement, and maintain a strategic plan. CC ID 12784 [Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: directing and engaging with strategy to generate value; § 4.1 ¶ 3 c) The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. Table 1 Column 4 Row 4 Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. § 6.3.1 ¶ 1 {individual}The governing body should engage with strategic planning by: reviewing, assessing and approving the plans developed by those to whom they have delegated; § 6.3.3.2.1 ¶ 1 c) The governing body should engage with strategic planning by: overseeing (see 6.4) the implementation of these plans and ensuring that they meet the agreed strategic outcomes. § 6.3.3.2.1 ¶ 1 d) The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so that the generation of value in the present context is balanced with the innovation required to generate value in the future. § 6.3.3.2.2 ¶ 1 The governing body should steer the organizational strategy by means of: § 6.3.3.2.2 ¶ 2 Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4 The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Determine progress toward the objectives of the strategic plan. CC ID 12944 [The governing body should: develop, and competently use, appropriate criteria for measurement that will indicate progress towards the fulfilment of the organizational purpose, within the set parameters, via the organizational strategy; § 4.3.2 ¶ 2 b) Ethical and effective leadership is demonstrated when the governing body: ensures that the organization is, and is seen to be, following the expectations as set. § 6.7.3.1 ¶ 3 Bullet 3 The outcomes, whether positive or negative, are determined by the expectations which have been set. Leadership determines whether these expectations are fulfilled. § 6.7.3.2 ¶ 2 The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the envisaged time scales of the strategic outcomes and of the organizational strategy; § 6.3.3.1.1 ¶ 2 b)] | Leadership and high level objectives | Process or Activity | |
Include acting with integrity in the strategic plan. CC ID 12870 [At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in this document. § 4.3.1 ¶ 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)] | Leadership and high level objectives | Communicate | |
Include the outsource partners in the strategic plan, as necessary. CC ID 13960 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a planning policy. CC ID 14673 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain planning procedures. CC ID 14698 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 | Leadership and high level objectives | Communicate | |
Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 | Leadership and high level objectives | Communicate | |
Include compliance requirements in the planning policy. CC ID 14688 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include coordination amongst entities in the planning policy. CC ID 14687 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include management commitment in the planning policy. CC ID 14686 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the planning policy. CC ID 14685 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the scope in the planning policy. CC ID 14684 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the purpose in the planning policy. CC ID 14683 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a security planning policy. CC ID 14027 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include compliance requirements in the security planning policy. CC ID 14131 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include coordination amongst entities in the security planning policy. CC ID 14130 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include management commitment in the security planning policy. CC ID 14129 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the security planning policy. CC ID 14128 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the scope in the security planning policy. CC ID 14127 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the purpose in the security planning policy. CC ID 14126 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain security planning procedures. CC ID 14060 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: § 6.8.3.2.1 ¶ 1 The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b) The governing body should ensure that decisions are transparent and aligned with broader societal expectations. Table 1 Column 4 Row 11 Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: competence and probity in the manner in which it makes decisions. § 5 ¶ 2 c) 5) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: maintain an appropriate balance between guiding discussions to a decision and ensuring that every member has the opportunity to express their independent assessment; § 6.8.3.2.1 ¶ 1 a) Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. Table 2 Column 2 Row 3 Bullet 2 The governing body should ensure that decisions are transparent and aligned with broader societal expectations. § 6.10.1 ¶ 1 The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a) The governing body should steer the organizational strategy by means of: reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; § 6.3.3.2.2 ¶ 2 e) The governing body should steer the organizational strategy by means of: decision-making, specifically, the strategic deployment of resources. § 6.3.3.2.2 ¶ 2 j) A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: reconciling the perspectives, considering how each position can support the other; § 6.7.3.4 ¶ 2 d) {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1 Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4 The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the reporting methodology with the decision management strategy. CC ID 15659 | Leadership and high level objectives | Business Processes | |
Include an economic impact analysis in the decision management strategy. CC ID 14015 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for compliance in the decision-making criteria. CC ID 12951 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 [A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: identifying the advantages and disadvantages of each; § 6.7.3.4 ¶ 2 c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 [To ensure that the organization is acting in a socially responsible way, the governing body should: steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); § 6.10.3 ¶ 1 f) When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: functional requirements of the organizational governance framework. § 5 ¶ 5 Bullet 7 The governing body should ensure that: the organizational purpose is core to its governance practices, deliberations and decision-making; § 6.1.3.2 ¶ 2 Bullet 3 Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 Ensure that diversity and inclusion are understood and incorporated into all organizational decision-making by including factors such as gender, age, ethnicity, sexual orientation, education, perspectives, nationality, disability and beliefs. Table 2 Column 2 Row 5 Bullet 1 The governing body should oversee the organization's management of risk (see 6.4), ensuring that: decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; § 6.9.3.4 ¶ 1 g)] | Leadership and high level objectives | Process or Activity | |
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 [Ethical and effective leadership is demonstrated when the governing body: sets expectations for the organization using robust decision-making processes (see 6.8.3); § 6.7.3.1 ¶ 3 Bullet 1 Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. § 6.1.3.4 ¶ 3] | Leadership and high level objectives | Process or Activity | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 | Leadership and high level objectives | Process or Activity | |
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 | Leadership and high level objectives | Process or Activity | |
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: § 6.8.3.2.1 ¶ 1 The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h) The governing body should steer the organizational strategy by means of: reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; § 6.3.3.2.2 ¶ 2 e)] | Leadership and high level objectives | Behavior | |
Take actions in accordance with the decision-making criteria. CC ID 12909 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h) A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: mapping an associated action plan. § 6.7.3.4 ¶ 2 e)] | Leadership and high level objectives | Process or Activity | |
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b) When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: expected outcomes are negotiated, specified and agreed; § 4.2.2 ¶ 2 a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 [Be open about decisions and activities that affect the natural environment, society and the economy, and be willing to communicate these in a clear, accurate, timely, honest and complete manner. Table 2 Column 2 Row 4 Bullet 1] | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain an information technology process framework. CC ID 13648 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include maturity models in the Information Technology process framework. CC ID 13652 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include Information Technology process structures in the Information Technology process framework. CC ID 13650 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a tactical plan. CC ID 12785 [The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. § 6.3.3.1.1 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include acting with integrity in the tactical plan. CC ID 12871 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: § 6.8.3.4 ¶ 2 The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e) The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; § 6.8.3.4 ¶ 2 d)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 [The recognition that data can be a strategic asset (or liability) means that the governing body should: acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; § 6.8.3.3 ¶ 1 c) The recognition that data can be a strategic asset (or liability) means that the governing body should: ensure that the information requirements of the organization are sufficiently supported by its current and future technology capabilities; § 6.8.3.3 ¶ 1 d)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Leadership and high level objectives | Human Resources Management | |
Include the transparency goals in the Information Governance Plan. CC ID 10056 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the information integrity goals in the Information Governance Plan. CC ID 10057 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: give confidence in the integrity of the information used, e.g. describing assurance processes applied (see 6.4); § 6.5.3.2 ¶ 1 e)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align business continuity objectives with the business continuity policy. CC ID 12408 | Leadership and high level objectives | Establish/Maintain Documentation | |
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)] | Leadership and high level objectives | Business Processes | |
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Leadership and high level objectives | Establish/Maintain Documentation | |
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Business Processes | |
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Human Resources Management | |
Include milestones for each project phase in the Information Technology project plan. CC ID 12621 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a search plan in the counterterror protective security plan. CC ID 06865 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 | Leadership and high level objectives | Actionable Reports or Measurements | |
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Leadership and high level objectives | Actionable Reports or Measurements | |
Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Leadership and high level objectives | Actionable Reports or Measurements | |
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Leadership and high level objectives | Actionable Reports or Measurements | |
Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094 | Leadership and high level objectives | Human Resources Management | |
Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving governance environment. § 4.3.2 ¶ 1 {individual}The governing body should steer the organizational strategy by means of: monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; § 6.3.3.2.2 ¶ 2 g)] | Leadership and high level objectives | Business Processes | |
Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 | Leadership and high level objectives | Behavior | |
Establish, implement, and maintain a financial management program. CC ID 13228 [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b) {be financially sound}The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's financial results and financial resources, ensuring that the organization remains financially sound; § 6.4.3.2 ¶ 1 f)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Establish/Maintain Documentation | |
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Communicate | |
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Business Processes | |
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Business Processes | |
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Business Processes | |
Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Business Processes | |
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Testing | |
Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Process or Activity | |
Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Process or Activity | |
Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Business Processes | |
Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Establish/Maintain Documentation | |
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Process or Activity | |
Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Establish/Maintain Documentation | |
Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Establish/Maintain Documentation | |
Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Testing | |
Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Business Processes | |
Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Testing | |
Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Testing | |
Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Testing | |
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Communicate | |
Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Business Processes | |
Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Process or Activity | |
Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Establish/Maintain Documentation | |
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Process or Activity | |
Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Establish/Maintain Documentation | |
Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Business Processes | |
Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Data and Information Management | |
Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Data and Information Management | |
Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Data and Information Management | |
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Data and Information Management | |
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Data and Information Management | |
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Data and Information Management | |
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Data and Information Management | |
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Data and Information Management | |
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Data and Information Management | |
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Data and Information Management | |
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Data and Information Management | |
Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Communicate | |
Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain financial reports. CC ID 14770 [The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the business need justification for lost value in the financial report. CC ID 15588 [The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Communicate | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Communicate | |
Monitor all outbound traffic from all systems. CC ID 12970 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor systems for unauthorized data transfers. CC ID 12971 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Audits and Risk Management | |
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 | Monitoring and measurement | Audits and Risk Management | |
Monitor systems for unauthorized mobile code. CC ID 10034 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b) To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d) The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)] | Monitoring and measurement | Establish/Maintain Documentation | |
Monitor the organization's exposure to threats, as necessary. CC ID 06494 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Implement a fraud detection system. CC ID 13081 | Monitoring and measurement | Business Processes | |
Monitor for new vulnerabilities. CC ID 06843 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Monitoring and measurement | Testing | |
Establish, implement, and maintain a system security plan. CC ID 01922 [{environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Monitoring and measurement | Testing | |
Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Establish/Maintain Documentation | |
Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Establish/Maintain Documentation | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Establish/Maintain Documentation | |
Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Establish/Maintain Documentation | |
Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Establish/Maintain Documentation | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Establish/Maintain Documentation | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Testing | |
Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Human Resources Management | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: overseeing that the organization performs and behaves according to the expectations set by the governing body; § 4.1 ¶ 3 d)] | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a metrics policy. CC ID 01654 [The governing body should: set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; § 4.3.2 ¶ 2 c)] | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)] | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Establish/Maintain Documentation | |
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Business Processes | |
Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Audits and Risk Management | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [Recognize failures and mistakes and take appropriate action. Table 2 Column 2 Row 2 Bullet 5] | Monitoring and measurement | Establish/Maintain Documentation | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Establish/Maintain Documentation | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Human Resources Management | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)] | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 [{individual}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: those who can influence the decisions of the governing body (such as member stakeholders, reference stakeholders and other stakeholders who can exert a controlling influence) and the nature and level of influence; § 6.5.3.2 ¶ 1 c) 4) The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)] | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Establish/Maintain Documentation | |
Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a metrics standard and template. CC ID 02157 [The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: § 6.2.3.3 ¶ 1 The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i) Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)] | Monitoring and measurement | Establish/Maintain Documentation | |
Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Establish/Maintain Documentation | |
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Log Management | |
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Business Processes | |
Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Communicate | |
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Establish/Maintain Documentation | |
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Establish/Maintain Documentation | |
Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Technical Security | |
Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Log Management | |
Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Technical Security | |
Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Log Management | |
Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Systems Continuity | |
Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Log Management | |
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Log Management | |
Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Log Management | |
Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Log Management | |
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Log Management | |
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Log Management | |
Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Log Management | |
Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Log Management | |
Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Log Management | |
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Configuration | |
Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Log Management | |
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Audits and Risk Management | |
Monitor the performance of the governance, risk, and compliance capability. CC ID 12857 [To exercise effective oversight, the governing body should: assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. § 6.4.3.1 ¶ 1 d) The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a) The governing body should oversee organizational performance by assessing and taking corrective action based on: compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; § 6.4.3.2 ¶ 1 d) Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3 To ensure that the organization is acting in a socially responsible way, the governing body should: measure performance against objectives related to socially responsible behaviour; § 6.10.3 ¶ 1 g) The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor the organizational culture. CC ID 12782 [The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: the organizational culture is responsive to relevant stakeholders' views; § 6.6.3 ¶ 3 b) The governing body should steer the organizational strategy by means of: the organizational culture, including the cultural tone the governing body sets through its ethos; § 6.3.3.2.2 ¶ 2 a)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor for changes to the organizational culture that have a cumulative effect on organizational objectives. CC ID 12886 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor for changes to the organizational culture that have a cumulative effect on strategies. CC ID 12885 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor for changes to the organizational culture that have an indirect effect on strategies. CC ID 12884 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor for changes to the organizational culture that have an indirect effect on organizational objectives. CC ID 12883 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor for changes to the organizational culture that have a direct effect on strategies. CC ID 12882 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Business Processes | |
Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Establish/Maintain Documentation | |
Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Establish/Maintain Documentation | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: carefully scrutinize the reporting lines of those who provide assurance internally, to safeguard their independence and authority (see NOTE 1); § 6.4.3.3 ¶ 1 d)] | Audits and risk management | Establish Roles | |
Manage supply chain audits. CC ID 01203 | Audits and risk management | Audits and Risk Management | |
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Audits and Risk Management | |
Rotate auditors, as necessary. CC ID 15589 [Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. § 6.4.3.3 ¶ 3] | Audits and risk management | Audits and Risk Management | |
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. § 6.4.3.3 ¶ 1 g)] | Audits and risk management | Establish Roles | |
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Establish Roles | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Establish Roles | |
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Audits and risk management | Establish Roles | |
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Audits and risk management | Establish Roles | |
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Audits and risk management | Establish Roles | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Establish Roles | |
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and risk management | Audits and Risk Management | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Establish/Maintain Documentation | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Establish/Maintain Documentation | |
Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Audits and risk management | Establish/Maintain Documentation | |
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Audits and risk management | Establish/Maintain Documentation | |
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Audits and risk management | Establish/Maintain Documentation | |
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Audits and risk management | Establish/Maintain Documentation | |
Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Audits and risk management | Establish/Maintain Documentation | |
Review the external audit scope, as necessary. CC ID 01202 | Audits and risk management | Audits and Risk Management | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Establish/Maintain Documentation | |
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Audits and risk management | Establish/Maintain Documentation | |
Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Audits and risk management | Establish/Maintain Documentation | |
Review the external auditor's qualifications. CC ID 01197 | Audits and risk management | Audits and Risk Management | |
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and risk management | Audits and Risk Management | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Audits and risk management | Establish/Maintain Documentation | |
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Audits and risk management | Establish/Maintain Documentation | |
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Audits and risk management | Behavior | |
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Audits and risk management | Behavior | |
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Audits and risk management | Establish/Maintain Documentation | |
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain an audit program. CC ID 00684 [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; § 6.4.3.3 ¶ 1 f) Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4] | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Establish/Maintain Documentation | |
Assign the audit to impartial auditors. CC ID 07118 [The governing body should: assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; § 4.3.2 ¶ 2 d) To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: § 6.4.3.3 ¶ 1] | Audits and risk management | Establish Roles | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Audits and Risk Management | |
Exercise due professional care during the planning and performance of the audit. CC ID 07119 | Audits and risk management | Behavior | |
Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Establish/Maintain Documentation | |
Include risks and opportunities in the audit program. CC ID 15236 [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; § 6.4.3.3 ¶ 1 f)] | Audits and risk management | Establish/Maintain Documentation | |
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and risk management | Audits and Risk Management | |
Establish and maintain audit terms. CC ID 13880 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Process or Activity | |
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Establish/Maintain Documentation | |
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Audits and Risk Management | |
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Audits and Risk Management | |
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Audits and Risk Management | |
Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Audits and Risk Management | |
Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Audits and Risk Management | |
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Audits and Risk Management | |
Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Audits and Risk Management | |
Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Establish/Maintain Documentation | |
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Establish/Maintain Documentation | |
Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Establish/Maintain Documentation | |
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Audits and Risk Management | |
Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Establish/Maintain Documentation | |
Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Establish/Maintain Documentation | |
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Establish/Maintain Documentation | |
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Establish/Maintain Documentation | |
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Establish/Maintain Documentation | |
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Establish/Maintain Documentation | |
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Establish/Maintain Documentation | |
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Establish/Maintain Documentation | |
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Establish/Maintain Documentation | |
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Establish/Maintain Documentation | |
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Establish/Maintain Documentation | |
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Establish/Maintain Documentation | |
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Establish/Maintain Documentation | |
Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Establish/Maintain Documentation | |
Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Establish/Maintain Documentation | |
Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Establish/Maintain Documentation | |
Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Establish/Maintain Documentation | |
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Audits and Risk Management | |
Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Business Processes | |
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Audits and Risk Management | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Audits and risk management | Establish/Maintain Documentation | |
Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Audits and Risk Management | |
Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Establish/Maintain Documentation | |
Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Investigate | |
Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Establish/Maintain Documentation | |
Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Establish/Maintain Documentation | |
Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Establish/Maintain Documentation | |
Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Establish/Maintain Documentation | |
Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Audits and Risk Management | |
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Audits and Risk Management | |
Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Establish/Maintain Documentation | |
Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Establish/Maintain Documentation | |
Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Establish/Maintain Documentation | |
Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Audits and Risk Management | |
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Establish/Maintain Documentation | |
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Establish/Maintain Documentation | |
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Establish/Maintain Documentation | |
Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Establish/Maintain Documentation | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Establish/Maintain Documentation | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Establish/Maintain Documentation | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Establish/Maintain Documentation | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Establish/Maintain Documentation | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Establish/Maintain Documentation | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Establish/Maintain Documentation | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Establish/Maintain Documentation | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Establish/Maintain Documentation | |
Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Establish/Maintain Documentation | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Communicate | |
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Establish/Maintain Documentation | |
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Establish/Maintain Documentation | |
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: determine the level of assurance scrutiny it requires, depending on the assessed risk; § 6.4.3.3 ¶ 1 a)] | Audits and risk management | Establish/Maintain Documentation | |
Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Establish/Maintain Documentation | |
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Communicate | |
Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Establish/Maintain Documentation | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Audits and risk management | Establish/Maintain Documentation | |
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Establish/Maintain Documentation | |
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Business Processes | |
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Business Processes | |
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Behavior | |
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Audits and Risk Management | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Audits and Risk Management | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Actionable Reports or Measurements | |
Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Establish/Maintain Documentation | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Establish/Maintain Documentation | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Establish/Maintain Documentation | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Records Management | |
Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Audits and Risk Management | |
Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Establish/Maintain Documentation | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Establish/Maintain Documentation | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Establish/Maintain Documentation | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Audits and risk management | Testing | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Audits and Risk Management | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Audits and Risk Management | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Testing | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Establish/Maintain Documentation | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Establish/Maintain Documentation | |
Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Audits and Risk Management | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Establish/Maintain Documentation | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Establish/Maintain Documentation | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Establish/Maintain Documentation | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Establish/Maintain Documentation | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Audits and Risk Management | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Establish/Maintain Documentation | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Establish/Maintain Documentation | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Monitor and Evaluate Occurrences | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Establish Roles | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Business Processes | |
Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Monitor and Evaluate Occurrences | |
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Business Processes | |
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Process or Activity | |
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Establish/Maintain Documentation | |
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 | Audits and risk management | Audits and Risk Management | |
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Audits and risk management | Business Processes | |
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Audits and Risk Management | |
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Establish/Maintain Documentation | |
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Establish/Maintain Documentation | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Audits and Risk Management | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Audits and Risk Management | |
Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Establish/Maintain Documentation | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Establish/Maintain Documentation | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Establish/Maintain Documentation | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Establish/Maintain Documentation | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Establish/Maintain Documentation | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Establish/Maintain Documentation | |
Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Establish/Maintain Documentation | |
Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Actionable Reports or Measurements | |
Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Actionable Reports or Measurements | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Establish/Maintain Documentation | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Actionable Reports or Measurements | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Establish/Maintain Documentation | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Establish/Maintain Documentation | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Actionable Reports or Measurements | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Establish/Maintain Documentation | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Establish/Maintain Documentation | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Establish/Maintain Documentation | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Establish/Maintain Documentation | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Establish/Maintain Documentation | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Establish/Maintain Documentation | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Audits and Risk Management | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Establish/Maintain Documentation | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Establish/Maintain Documentation | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Establish/Maintain Documentation | |
Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Establish/Maintain Documentation | |
Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Establish/Maintain Documentation | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Establish/Maintain Documentation | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Establish/Maintain Documentation | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Audits and Risk Management | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Establish/Maintain Documentation | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Actionable Reports or Measurements | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Establish/Maintain Documentation | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Establish/Maintain Documentation | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Establish/Maintain Documentation | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Audits and Risk Management | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Audits and Risk Management | |
Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Behavior | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Establish/Maintain Documentation | |
Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Establish/Maintain Documentation | |
Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Establish/Maintain Documentation | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Establish/Maintain Documentation | |
Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Establish/Maintain Documentation | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Establish/Maintain Documentation | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Establish/Maintain Documentation | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Establish/Maintain Documentation | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Establish/Maintain Documentation | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Actionable Reports or Measurements | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4] | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Communicate | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Communicate | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Behavior | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Establish/Maintain Documentation | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Establish/Maintain Documentation | |
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Business Processes | |
Accept the audit report. CC ID 07025 | Audits and risk management | Establish/Maintain Documentation | |
Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Human Resources Management | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Audits and risk management | Establish/Maintain Documentation | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Audits and Risk Management | |
Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
Include the allocation of resources in the audit plan. CC ID 15251 [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; § 6.4.3.3 ¶ 1 b)] | Audits and risk management | Establish/Maintain Documentation | |
Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a risk management program. CC ID 12051 [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b) The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all organizational activities. § 6.9.3.2 ¶ 1 The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the intended risk management performance is achieved. § 6.9.3.4 ¶ 1 i) {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Audits and risk management | Establish/Maintain Documentation | |
Integrate the risk management program with the organization's business activities. CC ID 13661 [The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all organizational activities. § 6.9.3.2 ¶ 1 In overseeing risk management, the governing body should specifically assure itself that risk management is integrated into all organizational activities by seeking evidence that, for example: § 6.9.3.4 ¶ 2] | Audits and risk management | Business Processes | |
Integrate the risk management program into daily business decision-making. CC ID 13659 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; § 6.9.3.4 ¶ 1 g) The governing body should ensure that the organizational risk framework, in respect to the management of risk: guides decision-making behaviours and the impact of leadership actions, inactions or omissions on those behaviours; § 6.9.3.2 ¶ 2 b)] | Audits and risk management | Business Processes | |
Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Establish/Maintain Documentation | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Audits and Risk Management | |
Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Business Processes | |
Establish, implement, and maintain risk management strategies. CC ID 13209 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: strategies to manage risk are deployed within agreed risk limits and associated risk tolerance; § 6.9.3.4 ¶ 1 b)] | Audits and risk management | Establish/Maintain Documentation | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Establish/Maintain Documentation | |
Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Data and Information Management | |
Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Audits and risk management | Establish/Maintain Documentation | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Establish/Maintain Documentation | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [The governing body should ensure that the organizational risk framework, in respect to the management of risk: defines the responsibilities of the governing body and associated delegation across the organization; § 6.9.3.2 ¶ 2 e)] | Audits and risk management | Establish Roles | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 [The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: § 6.9.3.3 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Audits and Risk Management | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 | Audits and risk management | Establish/Maintain Documentation | |
Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. § 6.9.1 ¶ 1 The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. Table 1 Column 4 Row 10 The governing body should oversee the organization's management of risk (see 6.4), ensuring that: a holistic view is taken by the organization, including consideration of all relevant types of risk; § 6.9.3.4 ¶ 1 a) {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's risk landscape; § 6.3.3.1.1 ¶ 2 c)] | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Communicate | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Communicate | |
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Business Processes | |
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Business Processes | |
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Audits and risk management | Business Processes | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Process or Activity | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Establish/Maintain Documentation | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Establish/Maintain Documentation | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Establish/Maintain Documentation | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Establish/Maintain Documentation | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Establish/Maintain Documentation | |
Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Behavior | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Establish/Maintain Documentation | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Establish/Maintain Documentation | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Establish/Maintain Documentation | |
Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Establish/Maintain Documentation | |
Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Communicate | |
Establish, implement, and maintain risk assessment procedures. CC ID 06446 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the process for assessing risk is consistent throughout the organization, enabling effective comparison and prioritization of risk; § 6.9.3.4 ¶ 1 e) The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)] | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Audits and risk management | Establish/Maintain Documentation | |
Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Technical Security | |
Document cybersecurity risks. CC ID 12281 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Establish/Maintain Documentation | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Human Resources Management | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 [The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: § 6.9.3.3 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Audits and Risk Management | |
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Establish/Maintain Documentation | |
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Establish/Maintain Documentation | |
Document organizational risk criteria. CC ID 12277 [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the risk appetite, which involves setting risk criteria and associated limits; § 6.9.3.2 ¶ 2 g)] | Audits and risk management | Establish/Maintain Documentation | |
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Technical Security | |
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Audits and Risk Management | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Audits and Risk Management | |
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Establish/Maintain Documentation | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Audits and Risk Management | |
Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Audits and Risk Management | |
Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Establish/Maintain Documentation | |
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Audits and risk management | Establish/Maintain Documentation | |
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Audits and risk management | Establish/Maintain Documentation | |
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Audits and risk management | Establish/Maintain Documentation | |
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Audits and risk management | Establish/Maintain Documentation | |
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Establish/Maintain Documentation | |
Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Audits and Risk Management | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Communicate | |
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Audits and risk management | Establish/Maintain Documentation | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d) {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1] | Audits and risk management | Testing | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Establish/Maintain Documentation | |
Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Audits and risk management | Establish/Maintain Documentation | |
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Audits and Risk Management | |
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Audits and Risk Management | |
Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Audits and Risk Management | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 [Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, risk management and compliance management as independent control functions; § 6.4.3.3 ¶ 2 Bullet 2] | Audits and risk management | Communicate | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Audits and risk management | Business Processes | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g) To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: effective risk reporting and communication of risk are practised and promoted throughout the organization; § 6.9.3.4 ¶ 1 h) Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3 {environmental system}{social system}The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the risks posed to the organization, and the organization's value generation model, by the natural environmental, social and economic systems within which it operates and by the governing body's decisions; § 6.11.3.4 ¶ 2 b) {environmental system}{social system}The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the risks posed to the natural environmental, social and economic systems by the organization, by the organization's value generation model and by the governing body's decisions. § 6.11.3.4 ¶ 2 c)] | Audits and risk management | Behavior | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Audits and Risk Management | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Establish/Maintain Documentation | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Establish/Maintain Documentation | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Establish/Maintain Documentation | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Establish/Maintain Documentation | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Establish/Maintain Documentation | |
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 [{social context}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the impact the organization has had, and anticipates having, on the resources it uses and the natural environment, social and economic context within which it operates; § 6.5.3.2 ¶ 1 c) 3) The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: reporting on the extent of the organization's impact on these resources and the impact of these resources on one another. § 6.2.3.1 ¶ 4 c) The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2] | Audits and risk management | Communicate | |
Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Establish/Maintain Documentation | |
Document organizational risk tolerance in a risk register. CC ID 09961 | Audits and risk management | Establish/Maintain Documentation | |
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Business Processes | |
Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Business Processes | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 | Audits and risk management | Audits and Risk Management | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Audits and Risk Management | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Audits and Risk Management | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [{positive impact}Responsible stewardship — The organization: effectively balances positive and negative impacts; § 5 ¶ 2 b) 2) The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the risk appetite, which involves setting risk criteria and associated limits; § 6.9.3.2 ¶ 2 g) The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: balances the achievement of the value generation objectives against potential impacts; § 6.2.3.3 ¶ 1 a)] | Audits and risk management | Establish/Maintain Documentation | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Investigate | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the choice of risk treatments is consistent with governance policies; § 6.9.3.4 ¶ 1 c)] | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Behavior | |
Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Establish/Maintain Documentation | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Audits and Risk Management | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Audits and Risk Management | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d) The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)] | Audits and risk management | Establish/Maintain Documentation | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Establish/Maintain Documentation | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Audits and Risk Management | |
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Audits and Risk Management | |
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Audits and Risk Management | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Audits and risk management | Establish/Maintain Documentation | |
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Establish/Maintain Documentation | |
Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Establish/Maintain Documentation | |
Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Establish/Maintain Documentation | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Establish/Maintain Documentation | |
Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Establish/Maintain Documentation | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Communicate | |
Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Audits and Risk Management | |
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Audits and risk management | Establish/Maintain Documentation | |
Review and approve the risk assessment findings. CC ID 06485 [The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)] | Audits and risk management | Establish/Maintain Documentation | |
Include risk responses in the risk management program. CC ID 13195 | Audits and risk management | Establish/Maintain Documentation | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Audits and risk management | Business Processes | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Establish/Maintain Documentation | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Establish/Maintain Documentation | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Business Processes | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Audits and Risk Management | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Establish/Maintain Documentation | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Communicate | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Communicate | |
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Audits and risk management | Establish/Maintain Documentation | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Establish/Maintain Documentation | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Communicate | |
Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Business Processes | |
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Business Processes | |
Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Business Processes | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Establish/Maintain Documentation | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Establish/Maintain Documentation | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Establish/Maintain Documentation | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Establish/Maintain Documentation | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Establish/Maintain Documentation | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Communicate | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Establish/Maintain Documentation | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Establish/Maintain Documentation | |
Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Establish/Maintain Documentation | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Establish/Maintain Documentation | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Communicate | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Human Resources Management | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Communicate | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
Control access rights to organizational assets. CC ID 00004 [{procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)] | Technical security | Technical Security | |
Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Configuration | |
Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Establish/Maintain Documentation | |
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Technical Security | |
Define roles for information systems. CC ID 12454 | Technical security | Human Resources Management | |
Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Human Resources Management | |
Define access needs for each system component of an information system. CC ID 12456 | Technical security | Technical Security | |
Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Technical Security | |
Establish access rights based on least privilege. CC ID 01411 | Technical security | Technical Security | |
Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Technical Security | |
Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Technical Security | |
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Configuration | |
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Technical Security | |
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Technical Security | |
Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Configuration | |
Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Configuration | |
Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Technical Security | |
Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Configuration | |
Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Configuration | |
Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Configuration | |
Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Configuration | |
Enable access control for objects and users on each system. CC ID 04553 | Technical security | Configuration | |
Include all system components in the access control system. CC ID 11939 | Technical security | Technical Security | |
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Process or Activity | |
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Technical Security | |
Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Technical Security | |
Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Establish/Maintain Documentation | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
Enforce access restrictions for change control. CC ID 01428 | Technical security | Technical Security | |
Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Data and Information Management | |
Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Technical Security | |
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Technical Security | |
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Establish/Maintain Documentation | |
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Establish/Maintain Documentation | |
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Technical Security | |
Display previous logon information in the logon banner. CC ID 01415 | Technical security | Configuration | |
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Establish/Maintain Documentation | |
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Technical Security | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a continuity framework. CC ID 00732 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include restoration procedures in the continuity plan. CC ID 01169 [The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: actively contribute to conserving and restoring these systems. § 6.11.3.1 ¶ 1 Bullet 2] | Operational and Systems Continuity | Establish Roles | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Communicate | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a critical third party list. CC ID 06815 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g)] | Operational and Systems Continuity | Behavior | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [{be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2] | Human Resources management | Establish Roles | |
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Human Resources management | Establish Roles | |
Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources management | Human Resources Management | |
Define the scope for the security operations center. CC ID 15713 | Human Resources management | Establish/Maintain Documentation | |
Designate an alternate for each organizational leader. CC ID 12053 | Human Resources management | Human Resources Management | |
Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Human Resources management | Behavior | |
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources management | Human Resources Management | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [The governing body can delegate but still remains accountable for what it has delegated and always remains responsible for the organization as a whole. § 4.2.2 ¶ 1 The governing body should establish governance policies and ensure that these: clarify the manner in which the governing body itself is to operate and govern the organization; § 6.3.3.1.2 ¶ 1 f) {individual}{hold accountable} The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. § 6.5.3.1 ¶ 1 Governance is exercised throughout the organization by governing groups, including: the governing body; § 4.2.1 ¶ 1 Bullet 2 At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in this document. § 4.3.1 ¶ 3 {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. Table 1 Column 4 Row 6 The governing body should engage with strategic planning by: establishing clarity about its role in the strategic planning process; § 6.3.3.2.1 ¶ 1 a) The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. § 6.1.3.4 ¶ 1 {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. § 6.5.1 ¶ 1 Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)] | Human Resources management | Establish Roles | |
Establish and maintain board committees, as necessary. CC ID 14789 [The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)] | Human Resources management | Human Resources Management | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: capacity; § 4.3.1 ¶ 1 Bullet 4 The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: probity; § 4.3.1 ¶ 1 Bullet 5 The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: commitment. § 4.3.1 ¶ 1 Bullet 6 The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: § 4.3.1 ¶ 1] | Human Resources management | Establish/Maintain Documentation | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: diversity and inclusion; § 4.3.1 ¶ 1 Bullet 2] | Human Resources management | Establish/Maintain Documentation | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: independence of thought and action; § 4.3.1 ¶ 1 Bullet 3] | Human Resources management | Human Resources Management | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1 The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1 To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: oversee the organization's risk management activities. § 6.9.3.1 ¶ 2 c) The governing body should oversee the organization's management of risk (see 6.4), ensuring that: § 6.9.3.4 ¶ 1] | Human Resources management | Human Resources Management | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Human Resources Management | |
Define and assign risk committees, as necessary. CC ID 14795 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Human Resources management | Establish/Maintain Documentation | |
Define and assign audit committees, as necessary. CC ID 14788 | Human Resources management | Human Resources Management | |
Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources management | Human Resources Management | |
Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources management | Human Resources Management | |
Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Human Resources management | Establish Roles | |
Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources management | Human Resources Management | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Human Resources management | Establish Roles | |
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources management | Human Resources Management | |
Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Human Resources management | Establish Roles | |
Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Human Resources management | Establish Roles | |
Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources management | Human Resources Management | |
Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources management | Human Resources Management | |
Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Human Resources management | Establish Roles | |
Define and assign the security staff roles and responsibilities. CC ID 11750 | Human Resources management | Establish/Maintain Documentation | |
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources management | Human Resources Management | |
Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Human Resources management | Establish Roles | |
Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Human Resources management | Establish Roles | |
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Human Resources management | Establish Roles | |
Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Human Resources management | Establish Roles | |
Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 | Human Resources management | Establish/Maintain Documentation | |
Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Human Resources management | Establish Roles | |
Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources management | Human Resources Management | |
Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources management | Human Resources Management | |
Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources management | Human Resources Management | |
Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources management | Human Resources Management | |
Assign a contact person to all business units. CC ID 07144 | Human Resources management | Establish Roles | |
Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Human Resources management | Business Processes | |
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Human Resources Management | |
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Human Resources Management | |
Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources management | Human Resources Management | |
Define and assign workforce roles and responsibilities. CC ID 13267 ["Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters. The governing body should ensure the clarity of roles and responsibilities of all involved and hold accountable those to whom they delegate. § 4.2.3 ¶ 1] | Human Resources management | Human Resources Management | |
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources management | Human Resources Management | |
Assign roles and responsibilities for physical security, as necessary. CC ID 13113 | Human Resources management | Establish Roles | |
Document the use of external experts. CC ID 16263 | Human Resources management | Human Resources Management | |
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; § 6.9.3.2 ¶ 2 a)] | Human Resources management | Human Resources Management | |
Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Human Resources Management | |
Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources management | Human Resources Management | |
Identify and define all critical roles. CC ID 00777 | Human Resources management | Establish Roles | |
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Establish Roles | |
Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources management | Human Resources Management | |
Assign the role of security management to applicable controls. CC ID 06444 | Human Resources management | Establish Roles | |
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Human Resources Management | |
Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Human Resources Management | |
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources management | Human Resources Management | |
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Communicate | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 | Human Resources management | Establish Roles | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Human Resources Management | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Human Resources Management | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Human Resources Management | |
Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Establish Roles | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Human Resources Management | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Establish Roles | |
Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Human Resources management | Establish Roles | |
Assign the role of logical access control to applicable controls. CC ID 00772 | Human Resources management | Establish Roles | |
Assign the role of asset physical security to applicable controls. CC ID 00770 | Human Resources management | Establish Roles | |
Assign the role of data custodian to applicable controls. CC ID 04789 | Human Resources management | Establish Roles | |
Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Human Resources management | Establish Roles | |
Assign interested personnel to the Quality Management committee. CC ID 07193 | Human Resources management | Establish Roles | |
Assign the roles and responsibilities for the asset management system. CC ID 14368 | Human Resources management | Establish/Maintain Documentation | |
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Human Resources management | Establish Roles | |
Assign the role of fire protection management to applicable controls. CC ID 04891 | Human Resources management | Establish Roles | |
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Human Resources management | Establish Roles | |
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Human Resources management | Establish Roles | |
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Human Resources management | Establish Roles | |
Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources management | Human Resources Management | |
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 | Human Resources management | Human Resources Management | |
Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 [The governing body should steer the organizational strategy by means of: succession planning for the critical roles in the organization, including emergency succession arrangements; § 6.3.3.2.2 ¶ 2 f)] | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Establish Roles | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Human Resources Management | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Establish/Maintain Documentation | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Human Resources Management | |
Establish and maintain security clearances. CC ID 01634 | Human Resources management | Human Resources Management | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: authority matches the level of responsibility, which includes the autonomy to make and fulfil plans to achieve the agreed outcomes within the established parameters; § 4.2.2 ¶ 2 c) Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: the authority matches the level of responsibility associated with the decisions being made; § 6.8.3.2.2 ¶ 1 a) Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. § 4.2.2 ¶ 5 Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: § 6.8.3.2.2 ¶ 1 {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Human Resources management | Establish Roles | |
Delegate authority for specific processes, as necessary. CC ID 06780 [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: § 4.2.2 ¶ 2 {be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2 The governing body should engage with strategic planning by: delegating as necessary; § 6.3.3.2.1 ¶ 1 b) The governing body should ensure that effective delegation is practised (see 4.2.2), as this is necessary for accountability. § 6.5.3.1 ¶ 2] | Human Resources management | Behavior | |
Implement a staff rotation plan. CC ID 12772 | Human Resources management | Human Resources Management | |
Rotate duties amongst the critical roles and positions. CC ID 06554 | Human Resources management | Establish Roles | |
Place Information Technology operations in a position to support the business model. CC ID 00766 | Human Resources management | Business Processes | |
Review organizational personnel successes. CC ID 00767 | Human Resources management | Business Processes | |
Implement personnel supervisory practices. CC ID 00773 | Human Resources management | Behavior | |
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 [{be different} The degree of separation of duties between the governing body and managers varies according to organizational needs and circumstances. In certain circumstances, such as an executive member of the governing body, an individual can be required to fulfil both governance and management responsibilities. In such cases, it is important for that person to be able to distinguish when they are fulfilling the different responsibilities and act and behave accordingly. § 4.2.3 ¶ 2] | Human Resources management | Technical Security | |
Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1 The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: collaborative relationships with relevant stakeholders are maintained; § 6.6.3 ¶ 3 c) Ethical and effective leadership should be demonstrated in three areas: the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. § 6.7.3.1 ¶ 4 c) Within the organization's external context: The governing body should ensure that the organization treats stakeholders in a manner consistent with its organizational values. § 6.7.3.3 ¶ 1 c) In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2 {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the quality and nature of stakeholder relationships and effectiveness of stakeholder engagement; § 6.3.3.1.1 ¶ 2 g) When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. § 6.6.3 ¶ 2] | Human Resources management | Behavior | |
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 [{be fair}{be responsible}{be transparent}The governing body should steer the organizational strategy by means of: the organization's approach to compensation, ensuring that compensation is, and remains, fair, responsible and transparent; § 6.3.3.2.2 ¶ 2 h)] | Human Resources management | Human Resources Management | |
Establish and maintain an annual report on compensation. CC ID 14801 | Human Resources management | Establish/Maintain Documentation | |
Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Human Resources management | Establish/Maintain Documentation | |
Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Human Resources management | Communicate | |
Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Human Resources management | Establish/Maintain Documentation | |
Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 [The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)] | Human Resources management | Establish/Maintain Documentation | |
Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 [The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)] | Human Resources management | Human Resources Management | |
Establish, implement, and maintain an occupational health and safety management system. CC ID 16201 | Human Resources management | Business Processes | |
Establish, implement, and maintain an occupational health and safety policy. CC ID 00716 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)] | Human Resources management | Establish/Maintain Documentation | |
Involve interested personnel and affected parties in occupational health and safety management system processes. CC ID 16274 | Human Resources management | Business Processes | |
Disseminate and communicate the occupational health and safety policy to interested personnel and affected parties. CC ID 16270 | Human Resources management | Communicate | |
Include a commitment to continuous improvement in the occupational health and safety policy. CC ID 16267 | Human Resources management | Establish/Maintain Documentation | |
Include risks and opportunities in the occupational health and safety policy. CC ID 16287 | Human Resources management | Establish/Maintain Documentation | |
Include management commitment in the occupational health and safety policy. CC ID 16264 | Human Resources management | Behavior | |
Include occupational health and safety objectives in the occupational health and safety policy. CC ID 16262 | Human Resources management | Establish/Maintain Documentation | |
Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073 | Human Resources management | Establish/Maintain Documentation | |
Maintain a 1 to 2 day supply of water and nonperishable food at the facility in case public utilities are interrupted. CC ID 06074 | Human Resources management | Physical and Environmental Protection | |
Install duress alarms in susceptible public areas. CC ID 06075 | Human Resources management | Physical and Environmental Protection | |
Require regular vacations for personnel using restricted information or sensitive information. CC ID 06550 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802 | Human Resources management | Establish/Maintain Documentation | |
Provide protective face masks for critical personnel, as necessary. CC ID 06803 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain food preparation procedures. CC ID 06804 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain food handling procedures. CC ID 11765 | Human Resources management | Establish/Maintain Documentation | |
Vaccinate critical employees, as necessary. CC ID 06805 | Human Resources management | Human Resources Management | |
Protect personnel from work-related intimidation. CC ID 07046 | Human Resources management | Behavior | |
Establish, implement, and maintain a travel program for all personnel. CC ID 10597 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a process to identify any potential health hazards, environmental hazards, or safety hazards, that could affect personnel while traveling internationally. CC ID 06076 | Human Resources management | Human Resources Management | |
Refrain from using gifted mobile devices. CC ID 16460 | Human Resources management | Acquisition/Sale of Assets or Services | |
Refrain from loaning mobile devices to unauthorized personnel. CC ID 15218 | Human Resources management | Business Processes | |
Issue devices with secure configurations to individuals traveling to locations deemed to be of risk. CC ID 10598 | Human Resources management | Configuration | |
Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: consider its level of independence and the effect this level has on its decision-making, including financial interests, position, associations, relationships, bias and alliances; § 6.8.3.2.1 ¶ 1 c) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: carefully address conflicts of interest when making decisions; § 6.8.3.2.1 ¶ 1 d) Disclose actual, potential or perceived conflicts of interest at the earliest opportunity and manage such conflicts appropriately. Table 2 Column 2 Row 2 Bullet 2] | Human Resources management | Establish/Maintain Documentation | |
Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Human Resources management | Establish/Maintain Documentation | |
Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 | Human Resources management | Communicate | |
Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Code of Conduct. CC ID 04897 [Ethical leadership results in an organizational context and culture that: contributes to the prevention of misconduct; § 6.7.3.3 ¶ 3 Bullet 3 Act in good faith and in the best interest of the organization. Table 2 Column 2 Row 2 Bullet 1 {be ethical} Act ethically and in a compliant manner. Table 2 Column 2 Row 2 Bullet 3 Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: § 5 ¶ 2 c) Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4 The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)] | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a code of conduct for financial recommendations. CC ID 16649 | Human Resources management | Establish/Maintain Documentation | |
Include anti-coercion requirements and anti-tying requirements in the Code of Conduct. CC ID 16720 | Human Resources management | Establish/Maintain Documentation | |
Include limitations on referrals for products and services in the Code of Conduct. CC ID 16719 | Human Resources management | Behavior | |
Include classifications of ethics violations in the Code of Conduct. CC ID 14769 | Human Resources management | Establish/Maintain Documentation | |
Include definitions of ethics violations in the Code of Conduct. CC ID 14768 | Human Resources management | Establish/Maintain Documentation | |
Include exercising due professional care in the Code of Conduct. CC ID 14210 [Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. Table 2 Column 2 Row 3 Bullet 2 {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Human Resources management | Establish/Maintain Documentation | |
Include health and safety provisions in the Code of Conduct. CC ID 16206 | Human Resources management | Establish/Maintain Documentation | |
Include organizational values in the Code of Conduct. CC ID 12919 [Within the organization: The governing body should ensure that the organization conducts itself in a manner consistent with its organizational values. § 6.7.3.3 ¶ 1 b) Laws and rules provide the minimum set of organizational values against which behaviour is assessed. Other organizational values (see 6.1) are provided in collectively agreed documents such as a code of conduct, code of ethics or standards of behaviour. The following are examples of the leadership values to which governing bodies, and the individuals comprising them, are held: § 6.7.3.3 ¶ 2 Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2 Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. § 6.1.3.4 ¶ 3] | Human Resources management | Process or Activity | |
Include key policies in the Code of Conduct. CC ID 12890 | Human Resources management | Establish/Maintain Documentation | |
Include responsibilities to the public trust in the Code of Conduct. CC ID 14209 | Human Resources management | Establish/Maintain Documentation | |
Include the vision statement in the Code of Conduct. CC ID 12889 | Human Resources management | Establish/Maintain Documentation | |
Include the organization's mission in the Code of Conduct. CC ID 12875 | Human Resources management | Establish/Maintain Documentation | |
Include classifications of desired conduct in the Code of Conduct. CC ID 12851 | Human Resources management | Establish/Maintain Documentation | |
Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 | Human Resources management | Human Resources Management | |
Include environmental responsibility criteria in the Code of Conduct. CC ID 16209 | Human Resources management | Establish/Maintain Documentation | |
Include social responsibility criteria in the Code of Conduct. CC ID 16210 | Human Resources management | Establish/Maintain Documentation | |
Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment. CC ID 04580 | Human Resources management | Establish/Maintain Documentation | |
Include labor rights criteria in the Code of Conduct. CC ID 16208 | Human Resources management | Establish/Maintain Documentation | |
Include the employee's legal responsibilities and rights in the Terms and Conditions of employment. CC ID 15701 | Human Resources management | Establish/Maintain Documentation | |
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Human Resources management | Communicate | |
Include definitions of desirable conduct in the Code of Conduct. CC ID 12846 | Human Resources management | Establish/Maintain Documentation | |
Include notification procedures for allegations of undesirable conduct in the Code of Conduct. CC ID 12855 | Human Resources management | Establish/Maintain Documentation | |
Include procedures to identify positive outcomes in the Code of Conduct. CC ID 12854 | Human Resources management | Establish/Maintain Documentation | |
Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 | Human Resources management | Behavior | |
Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. CC ID 06664 | Human Resources management | Establish/Maintain Documentation | |
Require all personnel to re-sign the Code of Conduct, as necessary. CC ID 06666 | Human Resources management | Establish/Maintain Documentation | |
Include the information security responsibilities of employees in their performance objectives. CC ID 15700 | Human Resources management | Human Resources Management | |
Include information security responsibilities in performance reviews. CC ID 15697 | Human Resources management | Establish/Maintain Documentation | |
Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain an ethics program. CC ID 11496 [When defining the organizational values, the governing body should ensure that: it is clear what ethical behaviour is expected as a result of the organizational values; § 6.1.3.3 ¶ 1 b) Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b) The governing body should ensure ethical leadership across all areas. § 6.7.3.3 ¶ 1] | Human Resources management | Human Resources Management | |
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 [Disclose actual, potential or perceived conflicts of interest at the earliest opportunity and manage such conflicts appropriately. Table 2 Column 2 Row 2 Bullet 2] | Human Resources management | Communicate | |
Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: competence and probity in the manner in which it makes decisions. § 5 ¶ 2 c) 5)] | Human Resources management | Behavior | |
Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Investigate | |
Establish, implement, and maintain an ethical culture. CC ID 12781 [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: an ethical culture; § 5 ¶ 2 c) 1) Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: fairness in the treatment of, and engagement with, stakeholders; § 5 ¶ 2 c) 3)] | Human Resources management | Behavior | |
Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Monitor and Evaluate Occurrences | |
Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: integrity and transparency in fulfilling its obligations, and commitments; § 5 ¶ 2 c) 4) When defining the organizational values, the governing body should ensure that: the expected ethical behaviour can be assessed; § 6.1.3.3 ¶ 1 c)] | Human Resources management | Monitor and Evaluate Occurrences | |
Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Business Processes | |
Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 [To ensure that the organization is acting in a socially responsible way, the governing body should: steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); § 6.10.3 ¶ 1 f) Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5] | Human Resources management | Business Processes | |
Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Communicate | |
Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Establish/Maintain Documentation | |
Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Behavior | |
Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Behavior | |
Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Behavior | |
Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 | Human Resources management | Human Resources Management | |
Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Human Resources Management | |
Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Human Resources Management | |
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Establish Roles | |
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Behavior | |
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Behavior | |
Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Behavior | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b) {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2 Therefore, the governing body should: govern for organizational viability over time. § 6.11.3.1 ¶ 2 c)] | Operational management | Establish/Maintain Documentation | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)] | Operational management | Behavior | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Establish/Maintain Documentation | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes and maintains adequate resourcing; § 6.9.3.2 ¶ 2 f)] | Operational management | Acquisition/Sale of Assets or Services | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 [Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving governance environment. § 4.3.2 ¶ 1 The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. § 6.3.3.1.2 ¶ 4 {individual} The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. § 6.3.3.1.2 ¶ 3 The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)] | Operational management | Establish/Maintain Documentation | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Process or Activity | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)] | Operational management | Process or Activity | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Audits and Risk Management | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 ["Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters. The governing body should ensure the clarity of roles and responsibilities of all involved and hold accountable those to whom they delegate. § 4.2.3 ¶ 1 Governance is exercised throughout the organization by governing groups, including: § 4.2.1 ¶ 1 Governance is exercised throughout the organization by governing groups, including: member stakeholders; § 4.2.1 ¶ 1 Bullet 1 Governance is exercised throughout the organization by governing groups, including: managers; § 4.2.1 ¶ 1 Bullet 3 Governance is exercised throughout the organization by governing groups, including: other internal functions of the organization. § 4.2.1 ¶ 1 Bullet 4 {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. Table 1 Column 4 Row 6 The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. § 6.3.3.1.2 ¶ 4 {individual} The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. § 6.3.3.1.2 ¶ 3 Accountable people can delegate to others. However, it should be made clear that those who delegate remain accountable for their delegate's use of that authority. § 4.2.2 ¶ 4 {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. § 6.5.1 ¶ 1 {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1] | Operational management | Human Resources Management | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Human Resources Management | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Establish/Maintain Documentation | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 [{refrain from holding accountable}{do not}{individual} No one should be held accountable for matters over which they have no authority or for which expectations have not been stated or agreed. § 4.2.2 ¶ 3 Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: demonstrating accountability for this performance and behaviour. § 4.1 ¶ 3 e)] | Operational management | Establish/Maintain Documentation | |
Include the scope in the compliance policy. CC ID 14812 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Communicate | |
Include management commitment in the compliance policy. CC ID 14808 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a governance policy. CC ID 15587 [The governing body should establish governance policies and ensure that these: § 6.3.3.1.2 ¶ 1 The governing body should ensure that the governance policies are effectively applied across the organization and that they achieve the governing body's intentions. § 6.3.3.1.2 ¶ 2 The governing body should ensure that the organizational risk framework, in respect to the management of risk: positions risk as a key consideration in the setting of governance policies (see 6.3); § 6.9.3.2 ¶ 2 c) The governing body should establish governance policies and ensure that these: are regularly reviewed, and updated as necessary, to ensure that they remain aligned with the organization's constituting documents, and the organization's changing context, and are based on relevant guidance and best practices such as standards and codes. § 6.3.3.1.2 ¶ 1 h) The governing body should establish governance policies and ensure that these: clarify the governing body's intentions and expectations with respect to the organizational purpose, organizational values and the organization's value generation objectives; § 6.3.3.1.2 ¶ 1 a) {internal context}The governing body should steer the organizational strategy by means of: governance policies, to ensure that they remain aligned with the organization's changing internal and external context and are current with common or best practice; § 6.3.3.2.2 ¶ 2 d) The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; § 6.8.3.4 ¶ 2 d)] | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)] | Operational management | Communicate | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 [The governing body should establish governance policies and ensure that these: address the governing body's own commitment to continual improvement; § 6.3.3.1.2 ¶ 1 g)] | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the governance policy. CC ID 15594 [The governing body should establish governance policies and ensure that these: provide guidance on what, rather than detailing how, responsibilities are to be fulfilled; § 6.3.3.1.2 ¶ 1 d) The governing body should establish governance policies and ensure that these: define the structures (e.g. committees) and roles involved in the governance of the organization, including their authority, responsibilities, performance and reporting requirements; § 6.3.3.1.2 ¶ 1 c) The governing body should establish governance policies and ensure that these: clarify delegations within the organization, including in relation to the strategy process; § 6.3.3.1.2 ¶ 1 b)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 [The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. § 6.7.1 ¶ 1 Ethical and effective leadership should be demonstrated in three areas: § 6.7.3.1 ¶ 4 The governing body should demonstrate effective leadership across all areas. § 6.7.3.2 ¶ 1 The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. Table 1 Column 4 Row 8 In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2 Ethical leadership results in an organizational context and culture that: provides increased certainty, which in turn, creates reputational value. § 6.7.3.3 ¶ 3 Bullet 5 {be responsible}{be ethical} The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. § 6.8.3.1 ¶ 2 {be ethical}New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: data are used ethically; § 6.8.3.4 ¶ 1 Bullet 1 The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; § 6.9.3.2 ¶ 2 a) Ethical leadership results in an organizational context and culture that: assists in reconciling strategic dilemmas by creating organizational alignment through the integration of opposites; § 6.7.3.3 ¶ 3 Bullet 2 Ethical leadership results in an organizational context and culture that: provides the individuals of an organization with a collective sense of belonging; § 6.7.3.3 ¶ 3 Bullet 1] | Operational management | Business Processes | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b) {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2] | Operational management | Establish/Maintain Documentation | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles | |
Assign resources to implement the internal control framework. CC ID 00816 [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: required resources are available; § 4.2.2 ¶ 2 b) The governing body should steer the organizational strategy by means of: decision-making, specifically, the strategic deployment of resources. § 6.3.3.2.2 ¶ 2 j) {procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)] | Operational management | Business Processes | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: § 6.8.3.2.2 ¶ 1] | Operational management | Establish Roles | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)] | Operational management | Business Processes | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Establish/Maintain Documentation | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)] | Operational management | Establish/Maintain Documentation | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Communicate | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an information security program. CC ID 00812 [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the implementation of a risk-based information security management system (ISMS); § 6.8.3.4 ¶ 2 b)] | Operational management | Establish/Maintain Documentation | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Establish/Maintain Documentation | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Establish/Maintain Documentation | |
Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation | |
Include operations management in the information security program. CC ID 12385 | Operational management | Establish/Maintain Documentation | |
Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation | |
Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Establish/Maintain Documentation | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Process or Activity | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Human Resources Management | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Establish/Maintain Documentation | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Communicate | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Establish/Maintain Documentation | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 [New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: sensitive data are protected and secured. § 6.8.3.4 ¶ 1 Bullet 3] | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Establish/Maintain Documentation | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Establish/Maintain Documentation | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Establish/Maintain Documentation | |
Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Establish/Maintain Documentation | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Establish/Maintain Documentation | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Establish/Maintain Documentation | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Establish/Maintain Documentation | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Establish/Maintain Documentation | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Establish/Maintain Documentation | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [Table 1 describes the structure of the governance principles and lists the principles associated with each category. All principles should be applied, and applied concurrently. § 5 ¶ 3 Governing bodies should ensure that they realize the described governance outcomes through intentionally implementing the practices. § 5 ¶ 6] | Operational management | Business Processes | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: limits of the decision-making authority are applied based on the associated level of risk, in particular where automated decision-making is used; § 6.8.3.2.2 ¶ 1 b) Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. § 4.2.2 ¶ 5] | Operational management | Process or Activity | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: set the tone for the organization with respect to how the management of risk is to be approached; § 6.9.3.1 ¶ 2 a) To ensure that the organization is acting in a socially responsible way, the governing body should: assess how actions of individual members of the governing body influence social responsibility. § 6.10.3 ¶ 1 i) In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2 Set the tone for the organization by behaving in the manner in which the organization and its personnel are expected to behave. Table 2 Column 2 Row 2 Bullet 4 The governing body should steer the organizational strategy by means of: the organizational culture, including the cultural tone the governing body sets through its ethos; § 6.3.3.2.2 ¶ 2 a)] | Operational management | Process or Activity | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 [Ethical and effective leadership should be demonstrated in three areas: the functioning of the governing body; § 6.7.3.1 ¶ 4 a) The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: pay attention to the dynamics of the governing body, including, for example, undue reliance on any one member for decision-making; § 6.8.3.2.1 ¶ 1 e) The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)] | Operational management | Process or Activity | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 [The governing body should: assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; § 4.3.2 ¶ 2 d)] | Operational management | Process or Activity | |
Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: meet compliance obligations; § 6.5.3.2 ¶ 1 d) Effective performance — The organization: remains in alignment with its policies and relevant stakeholder expectations. § 5 ¶ 2 a) 4)] | Operational management | Establish/Maintain Documentation | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 [In doing so, the governing body provides indications of the organization's governance maturity, among other insights. § 5 ¶ 8 To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: § 6.4.3.3 ¶ 1 To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. § 6.4.3.3 ¶ 1 g)] | Operational management | Communicate | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [{individual}{hold accountable} The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. § 6.5.3.1 ¶ 1 To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: § 6.5.3.2 ¶ 1 b) Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: § 5 ¶ 7] | Operational management | Behavior | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 [Responsible stewardship — The organization: makes use of resources in a responsible manner; § 5 ¶ 2 b) 1) {procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)] | Operational management | Business Processes | |
Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Establish/Maintain Documentation | |
Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Business Processes | |
Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Establish/Maintain Documentation | |
Assign an information owner to organizational assets, as necessary. CC ID 12729 | Operational management | Human Resources Management | |
Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Business Processes | |
Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Establish/Maintain Documentation | |
Include program objectives in the asset management program. CC ID 14413 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Establish/Maintain Documentation | |
Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Business Processes | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Systems Design, Build, and Implementation | |
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Establish/Maintain Documentation | |
Define confidentiality controls. CC ID 01908 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Establish/Maintain Documentation | |
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Process or Activity | |
Define integrity controls. CC ID 01909 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Operational management | Establish/Maintain Documentation | |
Define availability controls. CC ID 01911 | Operational management | Establish/Maintain Documentation | |
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Communicate | |
Classify assets according to the Asset Classification Policy. CC ID 07186 | Operational management | Establish Roles | |
Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Business Processes | |
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Establish/Maintain Documentation | |
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Operational management | Establish Roles | |
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Operational management | Configuration | |
Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an asset inventory. CC ID 06631 | Operational management | Business Processes | |
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Operational management | Establish/Maintain Documentation | |
Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Establish/Maintain Documentation | |
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Systems Design, Build, and Implementation | |
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Data and Information Management | |
Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Establish/Maintain Documentation | |
Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Establish/Maintain Documentation | |
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Establish/Maintain Documentation | |
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Establish/Maintain Documentation | |
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Establish/Maintain Documentation | |
Conduct environmental surveys. CC ID 00690 | Operational management | Physical and Environmental Protection | |
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Establish/Maintain Documentation | |
Include network equipment in the Information Technology inventory. CC ID 00693 | Operational management | Establish/Maintain Documentation | |
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Establish/Maintain Documentation | |
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Process or Activity | |
Include software in the Information Technology inventory. CC ID 00692 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 | Operational management | Establish/Maintain Documentation | |
Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Establish/Maintain Documentation | |
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Establish/Maintain Documentation | |
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Technical Security | |
Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Technical Security | |
Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Data and Information Management | |
Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Establish/Maintain Documentation | |
Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Data and Information Management | |
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Data and Information Management | |
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Establish/Maintain Documentation | |
Include source code in the asset inventory. CC ID 14858 | Operational management | Records Management | |
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Human Resources Management | |
Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Establish/Maintain Documentation | |
Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Data and Information Management | |
Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Establish/Maintain Documentation | |
Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Establish/Maintain Documentation | |
Record the software version in the asset inventory. CC ID 12196 | Operational management | Establish/Maintain Documentation | |
Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Establish/Maintain Documentation | |
Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Establish/Maintain Documentation | |
Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Establish/Maintain Documentation | |
Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Establish/Maintain Documentation | |
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Establish/Maintain Documentation | |
Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Establish/Maintain Documentation | |
Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Establish/Maintain Documentation | |
Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Establish/Maintain Documentation | |
Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Establish/Maintain Documentation | |
Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Data and Information Management | |
Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Establish/Maintain Documentation | |
Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Data and Information Management | |
Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Establish/Maintain Documentation | |
Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Establish/Maintain Documentation | |
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Establish/Maintain Documentation | |
Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Establish/Maintain Documentation | |
Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Operational management | Establish/Maintain Documentation | |
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Establish/Maintain Documentation | |
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Establish/Maintain Documentation | |
Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Data and Information Management | |
Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Data and Information Management | |
Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Establish/Maintain Documentation | |
Record the owner for applicable assets in the asset inventory. CC ID 06640 | Operational management | Establish/Maintain Documentation | |
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Establish/Maintain Documentation | |
Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Establish/Maintain Documentation | |
Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Establish/Maintain Documentation | |
Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software asset management procedures. CC ID 00895 | Operational management | Establish/Maintain Documentation | |
Prevent users from disabling required software. CC ID 16417 | Operational management | Technical Security | |
Establish, implement, and maintain software archives procedures. CC ID 00866 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software distribution procedures. CC ID 00894 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software license management procedures. CC ID 06639 | Operational management | Establish/Maintain Documentation | |
Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a system redeployment program. CC ID 06276 | Operational management | Establish/Maintain Documentation | |
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Operational management | Behavior | |
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Operational management | Data and Information Management | |
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Operational management | Acquisition/Sale of Assets or Services | |
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Operational management | Establish/Maintain Documentation | |
Redeploy systems to other organizational units, as necessary. CC ID 11452 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Establish/Maintain Documentation | |
Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Business Processes | |
Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Business Processes | |
Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: actively contribute to conserving and restoring these systems. § 6.11.3.1 ¶ 1 Bullet 2] | Operational management | Establish/Maintain Documentation | |
Establish and maintain maintenance reports. CC ID 11749 | Operational management | Establish/Maintain Documentation | |
Establish and maintain system inspection reports. CC ID 06346 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Establish/Maintain Documentation | |
Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Establish/Maintain Documentation | |
Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Establish/Maintain Documentation | |
Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Communicate | |
Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Establish/Maintain Documentation | |
Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Communicate | |
Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Operational management | Establish/Maintain Documentation | |
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Physical and Environmental Protection | |
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Operational management | Behavior | |
Use system components only when third party support is available. CC ID 10644 | Operational management | Maintenance | |
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Operational management | Maintenance | |
Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Business Processes | |
Control remote maintenance according to the system's asset classification. CC ID 01433 | Operational management | Technical Security | |
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Configuration | |
Approve all remote maintenance sessions. CC ID 10615 | Operational management | Technical Security | |
Log the performance of all remote maintenance. CC ID 13202 | Operational management | Log Management | |
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Technical Security | |
Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Maintenance | |
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Maintenance | |
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Maintenance | |
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Behavior | |
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Establish/Maintain Documentation | |
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Acquisition/Sale of Assets or Services | |
Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Behavior | |
Restart systems on a periodic basis. CC ID 16498 | Operational management | Maintenance | |
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Maintenance | |
Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Technical Security | |
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Technical Security | |
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Human Resources Management | |
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Physical and Environmental Protection | |
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Establish/Maintain Documentation | |
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Process or Activity | |
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Operational management | Business Processes | |
Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Operational management | Establish/Maintain Documentation | |
Dispose of hardware and software at their life cycle end. CC ID 06278 | Operational management | Business Processes | |
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Business Processes | |
Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Establish/Maintain Documentation | |
Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Establish/Maintain Documentation | |
Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Business Processes | |
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Operational management | Establish/Maintain Documentation | |
Review each system's operational readiness. CC ID 06275 | Operational management | Systems Design, Build, and Implementation | |
Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Operational management | Establish/Maintain Documentation | |
Establish and maintain an unauthorized software list. CC ID 10601 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Establish/Maintain Documentation | |
Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Establish/Maintain Documentation | |
Update the incident response procedures using the lessons learned. CC ID 01233 [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a performance management standard. CC ID 01615 [The governing body should oversee the organization's performance to ensure that it meets the governing body's intentions for, and expectations of, the organization, its ethical behaviour and its compliance obligations. § 6.4.1 ¶ 1 Ethical and effective leadership should be demonstrated in three areas: the performance of the organization as a whole; § 6.7.3.1 ¶ 4 b) The governing body should oversee the organization's performance to ensure that it meets the governing body's intentions for, and expectations of, the organization, its ethical behaviour and its compliance obligations. Table 1 Column 4 Row 5 Effective performance — The organization: performs as required; § 5 ¶ 2 a) 2)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain future system performance forecasting methods. CC ID 11775 | Operational management | Business Processes | |
Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679 | Operational management | Establish/Maintain Documentation | |
Follow the maintenance schedule. CC ID 11791 | Operational management | Maintenance | |
Establish, implement, and maintain rate limiting filters. CC ID 06883 | Operational management | Business Processes | |
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a cost management program. CC ID 13638 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data profiling program. CC ID 13992 [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: effective data analytics are employed to correctly assess risk and risk interactions; § 6.9.3.4 ¶ 1 f)] | Records management | Data and Information Management | |
Establish, implement, and maintain an information management program. CC ID 14315 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)] | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain data completeness controls. CC ID 11649 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)] | Records management | Process or Activity | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)] | Records management | Establish Roles | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Data and Information Management | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Establish/Maintain Documentation | |
Establish and maintain access controls for all records. CC ID 00371 [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)] | Records management | Records Management | |
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5] | Acquisition or sale of facilities, technology, and services | Business Processes | |
Document consumer complaints. CC ID 13903 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Assess consumer complaints and litigation. CC ID 16521 | Acquisition or sale of facilities, technology, and services | Investigate | |
Notify the complainant about their rights after receiving a complaint. CC ID 16794 | Acquisition or sale of facilities, technology, and services | Communicate | |
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Post contact information in an easily seen location at facilities. CC ID 13812 | Acquisition or sale of facilities, technology, and services | Communicate | |
Provide users a list of the available dispute resolution bodies. CC ID 13814 | Acquisition or sale of facilities, technology, and services | Communicate | |
Post the dispute resolution body's contact information on the organization's website. CC ID 13811 | Acquisition or sale of facilities, technology, and services | Communicate | |
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795 | Acquisition or sale of facilities, technology, and services | Communicate | |
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 | Acquisition or sale of facilities, technology, and services | Actionable Reports or Measurements | |
Establish, implement, and maintain notice and take-down procedures. CC ID 09963 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Check communications for take-down requests. CC ID 09964 | Acquisition or sale of facilities, technology, and services | Monitor and Evaluate Occurrences | |
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Notify the complainant regarding any missing information in the take-down request. CC ID 09973 | Acquisition or sale of facilities, technology, and services | Behavior | |
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data access procedures. CC ID 00414 [The governing body should: ensure that all relevant stakeholders are able to access the reports and disclosures, as far as is reasonable, and are therefore suitably equipped with the information necessary to make informed assessments of the organization's past performance, current performance and performance over time. § 6.5.3.2 ¶ 2 Bullet 3] | Privacy protection for information and data | Establish/Maintain Documentation | |
Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Process or Activity | |
Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Data and Information Management | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Data and Information Management | |
Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Data and Information Management | |
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Data and Information Management | |
Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Business Processes | |
Respond to data access requests in a timely manner. CC ID 00421 | Privacy protection for information and data | Behavior | |
Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Data and Information Management | |
Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Data and Information Management | |
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Business Processes | |
Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Process or Activity | |
Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Data and Information Management | |
Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Establish/Maintain Documentation | |
Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Establish/Maintain Documentation | |
Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Process or Activity | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Privacy protection for information and data | Data and Information Management | |
Refrain from collecting personal data, as necessary. CC ID 15269 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
Use personal data for specified purposes. CC ID 11831 | Privacy protection for information and data | Data and Information Management | |
Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Data and Information Management | |
Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Data and Information Management | |
Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Data and Information Management | |
Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Behavior | |
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Data and Information Management | |
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Data and Information Management | |
Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Data and Information Management | |
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Data and Information Management | |
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Data and Information Management | |
Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Data and Information Management | |
Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Data and Information Management | |
Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Data and Information Management | |
Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Data and Information Management | |
Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Data and Information Management | |
Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Data and Information Management | |
Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Data and Information Management | |
Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Data and Information Management | |
Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Data and Information Management | |
Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Data and Information Management | |
Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Data and Information Management | |
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Data and Information Management | |
Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Data and Information Management | |
Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Data and Information Management | |
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Data and Information Management | |
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Data and Information Management | |
Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Data and Information Management | |
Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Data and Information Management | |
Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Data and Information Management | |
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Data and Information Management | |
Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Data and Information Management | |
Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Data and Information Management | |
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Data and Information Management | |
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Data and Information Management | |
Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Data and Information Management | |
Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Data and Information Management | |
Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Data and Information Management | |
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Data and Information Management | |
Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Data and Information Management | |
Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Data and Information Management | |
Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Data and Information Management | |
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Data and Information Management | |
Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Data and Information Management | |
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Data and Information Management | |
Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Data and Information Management | |
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Data and Information Management | |
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Data and Information Management | |
Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Data and Information Management | |
Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Data and Information Management | |
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Data and Information Management | |
Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Data and Information Management | |
Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Data and Information Management | |
Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Data and Information Management | |
Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Data and Information Management | |
Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Data and Information Management | |
Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Data and Information Management | |
Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Data and Information Management | |
Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Data and Information Management | |
Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Data and Information Management | |
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Data and Information Management | |
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Data and Information Management | |
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Data and Information Management | |
Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Data and Information Management | |
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Data and Information Management | |
Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Data and Information Management | |
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Data and Information Management | |
Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Technical Security | |
Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Data and Information Management | |
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Data and Information Management | |
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Data and Information Management | |
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Behavior | |
Manage health data collection. CC ID 00050 | Privacy protection for information and data | Data and Information Management | |
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Data and Information Management | |
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Data and Information Management | |
Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Data and Information Management | |
Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Data and Information Management | |
Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Data and Information Management | |
Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Behavior | |
Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Establish/Maintain Documentation | |
Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Data and Information Management | |
Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Data and Information Management | |
Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Data and Information Management | |
Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Technical Security | |
Collect restricted data in a fair and lawful manner. CC ID 00010 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Data and Information Management | |
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent from publicly available information. CC ID 00019 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent when needed by law. CC ID 00020 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Data and Information Management | |
Collect the minimum amount of restricted data necessary. CC ID 00078 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Data and Information Management | |
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Data and Information Management | |
Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Communicate | |
Provide the data subject with the data collector's name and contact information. CC ID 00024 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{be within}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: are transparent but also within the limits of confidentiality; § 6.5.3.2 ¶ 1 f)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Technical Security | |
Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
Limit data leakage. CC ID 00356 | Privacy protection for information and data | Data and Information Management | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 [The recognition that data can be a strategic asset (or liability) means that the governing body should: communicate the nature and extent of the organization's use of data as a demonstration of accountability for this resource. § 6.8.3.3 ¶ 1 e)] | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain data handling procedures. CC ID 11756 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1] | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Establish/Maintain Documentation |