Back

International > International Organization for Standardization

ISO 37000:2021, Governance of organizations — Guidance, First Edition



AD ID

0003485

AD STATUS

ISO 37000:2021, Governance of organizations — Guidance, First Edition

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

For Purchase

SYNONYMS

ISO 37000:2021

ISO 37000:2021, Governance of organizations — Guidance

EFFECTIVE

2021-09-01

ADDED

The document as a whole was last reviewed and released on 2022-06-29T00:00:00-0700.

AD ID

0003485

AD STATUS

For Purchase

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO 37000:2021

ISO 37000:2021, Governance of organizations — Guidance

EFFECTIVE

2021-09-01

ADDED

The document as a whole was last reviewed and released on 2022-06-29T00:00:00-0700.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO 37000:2021, Governance of organizations — Guidance, First Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO 37000:2021, Governance of organizations — Guidance, First Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
226 Mandated Controls - bold    
70 Implied Controls - italic     2044 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
2340 Total
  • Acquisition or sale of facilities, technology, and services
    32
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a consumer complaint management program. CC ID 04570
    [Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5]
    Business Processes Preventive
    Document consumer complaints. CC ID 13903 Business Processes Preventive
    Assess consumer complaints and litigation. CC ID 16521 Investigate Preventive
    Notify the complainant about their rights after receiving a complaint. CC ID 16794 Communicate Preventive
    Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816 Establish/Maintain Documentation Preventive
    Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815 Establish/Maintain Documentation Preventive
    Post contact information in an easily seen location at facilities. CC ID 13812 Communicate Preventive
    Provide users a list of the available dispute resolution bodies. CC ID 13814 Communicate Preventive
    Post the dispute resolution body's contact information on the organization's website. CC ID 13811 Communicate Preventive
    Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 Establish/Maintain Documentation Preventive
    Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795 Communicate Preventive
    Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain notice and take-down procedures. CC ID 09963 Establish/Maintain Documentation Preventive
    Check communications for take-down requests. CC ID 09964 Monitor and Evaluate Occurrences Preventive
    Include complete information in the take-down request. CC ID 09965 Business Processes Detective
    Include the complainant's contact information in the take-down request. CC ID 09966 Business Processes Detective
    Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967 Business Processes Detective
    Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968 Business Processes Detective
    Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969 Business Processes Detective
    Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970 Business Processes Preventive
    Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971 Business Processes Detective
    Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972 Business Processes Detective
    Notify the complainant regarding any missing information in the take-down request. CC ID 09973 Behavior Preventive
    Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974 Business Processes Detective
    Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975 Establish/Maintain Documentation Preventive
    Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976 Establish/Maintain Documentation Preventive
    Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977 Establish/Maintain Documentation Preventive
    Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978 Business Processes Preventive
    Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979 Business Processes Preventive
    Process product return requests. CC ID 11598 Acquisition/Sale of Assets or Services Corrective
    Refrain from returning products absent a return request authorization. CC ID 11599 Acquisition/Sale of Assets or Services Corrective
  • Audits and risk management
    596
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: carefully scrutinize the reporting lines of those who provide assurance internally, to safeguard their independence and authority (see NOTE 1); § 6.4.3.3 ¶ 1 d)]
    Establish Roles Preventive
    Manage supply chain audits. CC ID 01203 Audits and Risk Management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and Risk Management Preventive
    Rotate auditors, as necessary. CC ID 15589
    [Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. § 6.4.3.3 ¶ 3]
    Audits and Risk Management Preventive
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679
    [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. § 6.4.3.3 ¶ 1 g)]
    Establish Roles Preventive
    Assign the Board of Directors to address audit findings. CC ID 12396
    [Assurance processes that inform the governing body independently and accurately include: direct verifications by the governing body; § 6.4.3.3 ¶ 2 Bullet 1]
    Human Resources Management Corrective
    Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 Establish Roles Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Establish Roles Preventive
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152
    [Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3
    Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4]
    Testing Detective
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Establish Roles Preventive
    Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 Establish Roles Preventive
    Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 Establish Roles Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Establish Roles Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and Risk Management Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Establish/Maintain Documentation Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 Establish/Maintain Documentation Preventive
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192 Establish/Maintain Documentation Preventive
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Establish/Maintain Documentation Preventive
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Establish/Maintain Documentation Preventive
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Establish/Maintain Documentation Preventive
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Establish/Maintain Documentation Preventive
    Review the external audit scope, as necessary. CC ID 01202 Audits and Risk Management Preventive
    Review the external audit assertion for accuracy. CC ID 06977 Testing Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978 Testing Detective
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and Risk Management Detective
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Establish/Maintain Documentation Preventive
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Establish/Maintain Documentation Preventive
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Establish/Maintain Documentation Preventive
    Review the external auditor's qualifications. CC ID 01197 Audits and Risk Management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and Risk Management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 Establish/Maintain Documentation Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Establish/Maintain Documentation Preventive
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Behavior Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Behavior Preventive
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Establish/Maintain Documentation Preventive
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an audit program. CC ID 00684
    [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; § 6.4.3.3 ¶ 1 f)
    Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain audit policies. CC ID 13166 Establish/Maintain Documentation Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [The governing body should: assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; § 4.3.2 ¶ 2 d)
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: § 6.4.3.3 ¶ 1]
    Establish Roles Preventive
    Define what constitutes a threat to independence. CC ID 16824 Audits and Risk Management Preventive
    Determine if requested services create a threat to independence. CC ID 16823 Audits and Risk Management Detective
    Exercise due professional care during the planning and performance of the audit. CC ID 07119 Behavior Preventive
    Include resource requirements in the audit program. CC ID 15237 Establish/Maintain Documentation Preventive
    Include risks and opportunities in the audit program. CC ID 15236
    [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; § 6.4.3.3 ¶ 1 f)]
    Establish/Maintain Documentation Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and Risk Management Preventive
    Establish and maintain audit terms. CC ID 13880 Establish/Maintain Documentation Preventive
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Process or Activity Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Establish/Maintain Documentation Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an in scope system description. CC ID 14873 Establish/Maintain Documentation Preventive
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and Risk Management Preventive
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and Risk Management Preventive
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and Risk Management Preventive
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and Risk Management Preventive
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and Risk Management Preventive
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and Risk Management Preventive
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and Risk Management Preventive
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Establish/Maintain Documentation Preventive
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Establish/Maintain Documentation Preventive
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Establish/Maintain Documentation Preventive
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and Risk Management Preventive
    Include changes in the audit assertion's in scope system description. CC ID 14894 Establish/Maintain Documentation Preventive
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Establish/Maintain Documentation Preventive
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Establish/Maintain Documentation Preventive
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Establish/Maintain Documentation Preventive
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Establish/Maintain Documentation Preventive
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Establish/Maintain Documentation Preventive
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Establish/Maintain Documentation Preventive
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Establish/Maintain Documentation Preventive
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Establish/Maintain Documentation Preventive
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Establish/Maintain Documentation Preventive
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Establish/Maintain Documentation Preventive
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Establish/Maintain Documentation Preventive
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Establish/Maintain Documentation Preventive
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Establish/Maintain Documentation Preventive
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Establish/Maintain Documentation Preventive
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Establish/Maintain Documentation Preventive
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Establish/Maintain Documentation Preventive
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Establish/Maintain Documentation Preventive
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Establish/Maintain Documentation Detective
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Establish/Maintain Documentation Preventive
    Include commitments to third parties in the audit assertion. CC ID 14899 Establish/Maintain Documentation Preventive
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and Risk Management Detective
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Establish/Maintain Documentation Preventive
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Establish/Maintain Documentation Preventive
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and Risk Management Preventive
    Identify personnel who should attend the closing meeting. CC ID 15261 Business Processes Preventive
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and Risk Management Detective
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and Risk Management Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Establish/Maintain Documentation Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 Establish/Maintain Documentation Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and Risk Management Preventive
    Include audit subject matter in the audit program. CC ID 07103 Establish/Maintain Documentation Preventive
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Investigate Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Establish/Maintain Documentation Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Establish/Maintain Documentation Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Establish/Maintain Documentation Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and Risk Management Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Establish/Maintain Documentation Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and Risk Management Preventive
    Include in scope information in the audit program. CC ID 16198 Establish/Maintain Documentation Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Establish/Maintain Documentation Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Establish/Maintain Documentation Preventive
    Include the date of the audit in the representation letter. CC ID 16517 Audits and Risk Management Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Establish/Maintain Documentation Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Establish/Maintain Documentation Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Establish/Maintain Documentation Preventive
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Establish/Maintain Documentation Preventive
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Establish/Maintain Documentation Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Establish/Maintain Documentation Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Establish/Maintain Documentation Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Establish/Maintain Documentation Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Establish/Maintain Documentation Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Establish/Maintain Documentation Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Establish/Maintain Documentation Preventive
    Establish and maintain audit assertions, as necessary. CC ID 14871 Establish/Maintain Documentation Detective
    Include an in scope system description in the audit assertion. CC ID 14872 Establish/Maintain Documentation Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Establish/Maintain Documentation Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Establish/Maintain Documentation Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Establish/Maintain Documentation Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Establish/Maintain Documentation Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Establish/Maintain Documentation Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Establish/Maintain Documentation Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Establish/Maintain Documentation Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Establish/Maintain Documentation Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Establish/Maintain Documentation Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Establish/Maintain Documentation Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Establish/Maintain Documentation Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Establish/Maintain Documentation Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Establish/Maintain Documentation Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Establish/Maintain Documentation Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Establish/Maintain Documentation Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Establish/Maintain Documentation Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Communicate Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Establish/Maintain Documentation Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Establish/Maintain Documentation Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and Risk Management Preventive
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794
    [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: determine the level of assurance scrutiny it requires, depending on the assessed risk; § 6.4.3.3 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Establish/Maintain Documentation Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Establish/Maintain Documentation Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Establish/Maintain Documentation Corrective
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Communicate Preventive
    Include materiality levels in the audit terms. CC ID 01238 Establish/Maintain Documentation Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Establish/Maintain Documentation Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Establish/Maintain Documentation Preventive
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Business Processes Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and Risk Management Detective
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Business Processes Preventive
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Behavior Preventive
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and Risk Management Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Audit in scope audit items and compliance documents. CC ID 06730 Audits and Risk Management Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 Actionable Reports or Measurements Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Establish/Maintain Documentation Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Establish/Maintain Documentation Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Establish/Maintain Documentation Preventive
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Records Management Preventive
    Conduct onsite inspections, as necessary. CC ID 16199 Testing Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and Risk Management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and Risk Management Detective
    Audit policies, standards, and procedures. CC ID 12927 Audits and Risk Management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Investigate Detective
    Audit information systems, as necessary. CC ID 13010
    [{be responsible}{be ethical}The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; § 6.8.3.4 ¶ 2 c)]
    Investigate Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Investigate Detective
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Testing Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Testing Detective
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and Risk Management Detective
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Process or Activity Detective
    Edit the audit assertion for accuracy. CC ID 07030 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Testing Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Process or Activity Detective
    Document test plans for auditing in scope controls. CC ID 06985 Testing Detective
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984 Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and Risk Management Detective
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Process or Activity Preventive
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and Risk Management Detective
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and Risk Management Detective
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and Risk Management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Testing Detective
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Establish/Maintain Documentation Preventive
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 Testing Preventive
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and Risk Management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and Risk Management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and Risk Management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and Risk Management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and Risk Management Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Testing Preventive
    Establish, implement, and maintain interview procedures. CC ID 16282 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the interview procedures. CC ID 16297 Human Resources Management Preventive
    Coordinate the scheduling of interviews. CC ID 16293 Process or Activity Preventive
    Create a schedule for the interviews. CC ID 16292 Process or Activity Preventive
    Identify interviewees. CC ID 16290 Process or Activity Preventive
    Conduct interviews, as necessary. CC ID 07188 Testing Detective
    Verify statements made by interviewees are correct. CC ID 16299 Behavior Detective
    Discuss unsolved questions with the interviewee. CC ID 16298 Process or Activity Detective
    Allow interviewee to respond to explanations. CC ID 16296 Process or Activity Detective
    Explain the requirements being discussed to the interviewee. CC ID 16294 Process or Activity Detective
    Explain the goals of the interview to the interviewee. CC ID 07189 Behavior Detective
    Explain the testing results to the interviewee. CC ID 16291 Process or Activity Preventive
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Process or Activity Corrective
    Establish and maintain work papers, as necessary. CC ID 13891 Establish/Maintain Documentation Preventive
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Establish/Maintain Documentation Preventive
    Include audit irregularities in the work papers. CC ID 16774 Establish/Maintain Documentation Preventive
    Include corrective actions in the work papers. CC ID 16771 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Establish/Maintain Documentation Preventive
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Establish/Maintain Documentation Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Establish/Maintain Documentation Preventive
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 Audits and Risk Management Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Establish/Maintain Documentation Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Establish/Maintain Documentation Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Establish/Maintain Documentation Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Establish/Maintain Documentation Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and Risk Management Detective
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and Risk Management Preventive
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Testing Detective
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Establish/Maintain Documentation Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Establish/Maintain Documentation Preventive
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Testing Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Monitor and Evaluate Occurrences Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Establish Roles Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Business Processes Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Monitor and Evaluate Occurrences Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Business Processes Preventive
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Process or Activity Preventive
    Review the subject matter expert's findings. CC ID 16559 Audits and Risk Management Detective
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Establish/Maintain Documentation Preventive
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 Audits and Risk Management Preventive
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Investigate Detective
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Business Processes Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and Risk Management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and Risk Management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Establish/Maintain Documentation Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Establish/Maintain Documentation Preventive
    Establish and maintain organizational audit reports. CC ID 06731 Establish/Maintain Documentation Preventive
    Determine what disclosures are required in the audit report. CC ID 14888 Establish/Maintain Documentation Detective
    Include the justification for not following the applicable requirements in the audit report. CC ID 16822 Audits and Risk Management Preventive
    Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 Audits and Risk Management Preventive
    Include audit subject matter in the audit report. CC ID 14882 Establish/Maintain Documentation Preventive
    Include an other-matter paragraph in the audit report. CC ID 14901 Establish/Maintain Documentation Preventive
    Identify the audit team members in the audit report. CC ID 15259 Human Resources Management Detective
    Write the audit report using clear and conspicuous language. CC ID 13948 Establish/Maintain Documentation Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Establish/Maintain Documentation Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Establish/Maintain Documentation Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Establish/Maintain Documentation Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Establish/Maintain Documentation Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Establish/Maintain Documentation Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Establish/Maintain Documentation Preventive
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Establish/Maintain Documentation Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Establish/Maintain Documentation Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Actionable Reports or Measurements Preventive
    Include the date of the audit in the audit report. CC ID 07024 Actionable Reports or Measurements Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Actionable Reports or Measurements Preventive
    Include any discussions of significant findings in the audit report. CC ID 13955 Establish/Maintain Documentation Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Establish/Maintain Documentation Preventive
    Include the audit criteria in the audit report. CC ID 13945 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Establish/Maintain Documentation Preventive
    Include all hypothetical assumptions in the audit report. CC ID 13947 Establish/Maintain Documentation Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Actionable Reports or Measurements Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Establish/Maintain Documentation Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Establish/Maintain Documentation Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Establish/Maintain Documentation Preventive
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Establish/Maintain Documentation Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Establish/Maintain Documentation Preventive
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Establish/Maintain Documentation Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Establish/Maintain Documentation Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Establish/Maintain Documentation Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Establish/Maintain Documentation Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Establish/Maintain Documentation Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Establish/Maintain Documentation Preventive
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Establish/Maintain Documentation Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Establish/Maintain Documentation Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Establish/Maintain Documentation Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Establish/Maintain Documentation Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Establish/Maintain Documentation Preventive
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and Risk Management Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Establish/Maintain Documentation Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Establish/Maintain Documentation Preventive
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and Risk Management Detective
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Establish/Maintain Documentation Preventive
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Establish/Maintain Documentation Preventive
    Include recommended corrective actions in the audit report. CC ID 16197 Establish/Maintain Documentation Preventive
    Include risks and opportunities in the audit report. CC ID 16196 Establish/Maintain Documentation Preventive
    Include the description of tests of controls and results in the audit report. CC ID 14898 Establish/Maintain Documentation Preventive
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Establish/Maintain Documentation Preventive
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Establish/Maintain Documentation Preventive
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Establish/Maintain Documentation Preventive
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and Risk Management Preventive
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Establish/Maintain Documentation Preventive
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Establish/Maintain Documentation Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Actionable Reports or Measurements Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Establish/Maintain Documentation Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Establish/Maintain Documentation Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Establish/Maintain Documentation Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Establish/Maintain Documentation Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Establish/Maintain Documentation Preventive
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Establish/Maintain Documentation Preventive
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and Risk Management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Establish/Maintain Documentation Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and Risk Management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and Risk Management Detective
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Establish/Maintain Documentation Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and Risk Management Detective
    Review past audit reports. CC ID 01155 Establish/Maintain Documentation Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Establish/Maintain Documentation Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Establish/Maintain Documentation Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Behavior Preventive
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Establish/Maintain Documentation Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Establish/Maintain Documentation Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Establish/Maintain Documentation Preventive
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Establish/Maintain Documentation Corrective
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Investigate Detective
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Process or Activity Detective
    Include an audit opinion in the audit report. CC ID 07017 Establish/Maintain Documentation Preventive
    Include qualified opinions in the audit report. CC ID 13928 Establish/Maintain Documentation Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Establish/Maintain Documentation Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Establish/Maintain Documentation Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Establish/Maintain Documentation Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Business Processes Corrective
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Establish/Maintain Documentation Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Establish/Maintain Documentation Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Establish/Maintain Documentation Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Establish/Maintain Documentation Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Establish/Maintain Documentation Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Establish/Maintain Documentation Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Establish/Maintain Documentation Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Establish/Maintain Documentation Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Establish/Maintain Documentation Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Establish/Maintain Documentation Corrective
    Disclose any audit irregularities in the audit report. CC ID 06995 Actionable Reports or Measurements Preventive
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117
    [Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Log Management Detective
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Communicate Preventive
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Communicate Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Behavior Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Establish/Maintain Documentation Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Establish/Maintain Documentation Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148 Establish/Maintain Documentation Detective
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Business Processes Preventive
    Submit an audit report that is complete. CC ID 01145 Testing Detective
    Accept the audit report. CC ID 07025 Establish/Maintain Documentation Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777 Establish/Maintain Documentation Corrective
    Assign responsibility for remediation actions. CC ID 13622 Human Resources Management Preventive
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Actionable Reports or Measurements Corrective
    Review management's response to issues raised in past audit reports. CC ID 01149 Audits and Risk Management Detective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Establish/Maintain Documentation Preventive
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150
    [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; § 6.4.3.3 ¶ 1 b)
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance providers have the necessary competency and capacity and that their efforts are appropriately focused; § 6.4.3.3 ¶ 1 c)
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: carefully scrutinize the ability of any external assurance providers, to provide independent assurance (see NOTE 1); § 6.4.3.3 ¶ 1 e)
    Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. § 6.4.3.3 ¶ 3]
    Testing Detective
    Evaluate the competency of auditors. CC ID 15253 Human Resources Management Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and Risk Management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and Risk Management Preventive
    Establish, implement, and maintain the audit plan. CC ID 01156 Testing Detective
    Include the audit criteria in the audit plan. CC ID 15262 Establish/Maintain Documentation Preventive
    Include a list of reference documents in the audit plan. CC ID 15260 Establish/Maintain Documentation Preventive
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Establish/Maintain Documentation Preventive
    Include the allocation of resources in the audit plan. CC ID 15251
    [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; § 6.4.3.3 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Include communication protocols in the audit plan. CC ID 15247 Establish/Maintain Documentation Preventive
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Establish/Maintain Documentation Preventive
    Include meeting schedules in the audit plan. CC ID 15245 Establish/Maintain Documentation Preventive
    Include the time frames for the audit in the audit plan. CC ID 15244 Establish/Maintain Documentation Preventive
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Establish/Maintain Documentation Preventive
    Include the locations to be audited in the audit plan. CC ID 15242 Establish/Maintain Documentation Preventive
    Include the processes to be audited in the audit plan. CC ID 15241 Establish/Maintain Documentation Preventive
    Include audit objectives in the audit plan. CC ID 15240 Establish/Maintain Documentation Preventive
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Communicate Preventive
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051
    [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b)
    The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all organizational activities. § 6.9.3.2 ¶ 1
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the intended risk management performance is achieved. § 6.9.3.4 ¶ 1 i)
    {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include the scope of risk management activities in the risk management program. CC ID 13658 Establish/Maintain Documentation Preventive
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Business Processes Detective
    Integrate the risk management program with the organization's business activities. CC ID 13661
    [The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all organizational activities. § 6.9.3.2 ¶ 1
    In overseeing risk management, the governing body should specifically assure itself that risk management is integrated into all organizational activities by seeking evidence that, for example: § 6.9.3.4 ¶ 2]
    Business Processes Preventive
    Integrate the risk management program into daily business decision-making. CC ID 13659
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; § 6.9.3.4 ¶ 1 g)
    The governing body should ensure that the organizational risk framework, in respect to the management of risk: guides decision-making behaviours and the impact of leadership actions, inactions or omissions on those behaviours; § 6.9.3.2 ¶ 2 b)]
    Business Processes Preventive
    Include managing mobile risks in the risk management program. CC ID 13535 Establish/Maintain Documentation Preventive
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and Risk Management Preventive
    Include regular updating in the risk management system. CC ID 14990 Business Processes Preventive
    Establish, implement, and maintain risk management strategies. CC ID 13209
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: strategies to manage risk are deployed within agreed risk limits and associated risk tolerance; § 6.9.3.4 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Include off-site storage of supplies in the risk management strategies. CC ID 13221 Establish/Maintain Documentation Preventive
    Include data quality in the risk management strategies. CC ID 15308 Data and Information Management Preventive
    Include the use of alternate service providers in the risk management strategies. CC ID 13217 Establish/Maintain Documentation Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Establish/Maintain Documentation Preventive
    Include off-site storage in the risk mitigation strategies. CC ID 13213 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Analyze the risk management strategy for addressing requirements. CC ID 12926 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and Risk Management Detective
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456
    [The governing body should ensure that the organizational risk framework, in respect to the management of risk: defines the responsibilities of the governing body and associated delegation across the organization; § 6.9.3.2 ¶ 2 e)]
    Establish Roles Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: § 6.9.3.3 ¶ 1]
    Establish/Maintain Documentation Preventive
    Address past incidents in the risk assessment program. CC ID 12743 Audits and Risk Management Preventive
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Human Resources Management Detective
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Establish/Maintain Documentation Preventive
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Establish/Maintain Documentation Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230
    [The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. § 6.9.1 ¶ 1
    The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. Table 1 Column 4 Row 10
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: a holistic view is taken by the organization, including consideration of all relevant types of risk; § 6.9.3.4 ¶ 1 a)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's risk landscape; § 6.3.3.1.1 ¶ 2 c)]
    Audits and Risk Management Preventive
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain insurance requirements. CC ID 16562 Establish/Maintain Documentation Preventive
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Communicate Preventive
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Communicate Preventive
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Acquisition/Sale of Assets or Services Corrective
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Business Processes Preventive
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Business Processes Preventive
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 Business Processes Preventive
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Process or Activity Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Establish/Maintain Documentation Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Establish/Maintain Documentation Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Establish/Maintain Documentation Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Establish/Maintain Documentation Preventive
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Communicate Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Establish/Maintain Documentation Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Establish/Maintain Documentation Preventive
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 Establish/Maintain Documentation Preventive
    Use the risk taxonomy when managing risk. CC ID 12280 Behavior Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Establish/Maintain Documentation Preventive
    Include compliance requirements in the risk assessment policy. CC ID 14121 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Establish/Maintain Documentation Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Establish/Maintain Documentation Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Establish/Maintain Documentation Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Communicate Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the process for assessing risk is consistent throughout the organization, enabling effective comparison and prioritization of risk; § 6.9.3.4 ¶ 1 e)
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Analyze the organization's information security environment. CC ID 13122 Technical Security Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Establish/Maintain Documentation Preventive
    Document cybersecurity risks. CC ID 12281 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Establish/Maintain Documentation Preventive
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Human Resources Management Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479
    [The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: § 6.9.3.3 ¶ 1]
    Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and Risk Management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Establish/Maintain Documentation Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Establish/Maintain Documentation Preventive
    Document organizational risk criteria. CC ID 12277
    [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the risk appetite, which involves setting risk criteria and associated limits; § 6.9.3.2 ¶ 2 g)]
    Establish/Maintain Documentation Preventive
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Technical Security Preventive
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Investigate Detective
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and Risk Management Preventive
    Review the risk profiles, as necessary. CC ID 16561 Audits and Risk Management Detective
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and Risk Management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Establish/Maintain Documentation Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and Risk Management Preventive
    Approve the threat and risk classification scheme. CC ID 15693 Business Processes Preventive
    Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and Risk Management Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Establish/Maintain Documentation Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Establish/Maintain Documentation Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Establish/Maintain Documentation Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Establish/Maintain Documentation Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Establish/Maintain Documentation Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and Risk Management Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Communicate Preventive
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 Establish/Maintain Documentation Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d)
    {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Establish/Maintain Documentation Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Establish/Maintain Documentation Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Establish/Maintain Documentation Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and Risk Management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Establish/Maintain Documentation Detective
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and Risk Management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627 Establish/Maintain Documentation Detective
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and Risk Management Preventive
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Establish/Maintain Documentation Preventive
    Create a risk assessment report based on the risk assessment results. CC ID 15695 Establish/Maintain Documentation Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633
    [Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, risk management and compliance management as independent control functions; § 6.4.3.3 ¶ 2 Bullet 2]
    Communicate Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Business Processes Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g)
    To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: effective risk reporting and communication of risk are practised and promoted throughout the organization; § 6.9.3.4 ¶ 1 h)
    Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3
    {environmental system}{social system}The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the risks posed to the organization, and the organization's value generation model, by the natural environmental, social and economic systems within which it operates and by the governing body's decisions; § 6.11.3.4 ¶ 2 b)
    {environmental system}{social system}The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the risks posed to the natural environmental, social and economic systems by the organization, by the organization's value generation model and by the governing body's decisions. § 6.11.3.4 ¶ 2 c)]
    Behavior Preventive
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Investigate Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and Risk Management Preventive
    Conduct a Business Impact Analysis, as necessary. CC ID 01147 Audits and Risk Management Detective
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Establish/Maintain Documentation Preventive
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Establish/Maintain Documentation Preventive
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Establish/Maintain Documentation Preventive
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Establish/Maintain Documentation Preventive
    Include pandemic risks in the Business Impact Analysis. CC ID 13219 Establish/Maintain Documentation Preventive
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300
    [{social context}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the impact the organization has had, and anticipates having, on the resources it uses and the natural environment, social and economic context within which it operates; § 6.5.3.2 ¶ 1 c) 3)
    The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: reporting on the extent of the organization's impact on these resources and the impact of these resources on one another. § 6.2.3.1 ¶ 4 c)
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Communicate Preventive
    Establish, implement, and maintain a risk register. CC ID 14828 Establish/Maintain Documentation Preventive
    Document organizational risk tolerance in a risk register. CC ID 09961 Establish/Maintain Documentation Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Business Processes Preventive
    Review the Business Impact Analysis, as necessary. CC ID 12774 Business Processes Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701 Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and Risk Management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and Risk Management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [{be dependent}{environmental system}{social system}The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: directly dependent; § 6.11.3.4 ¶ 1 Bullet 1
    {be independent}{environmental system}{social system}The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: not directly dependent but whose ability to be sustained will be affected by the governing body's decisions. § 6.11.3.4 ¶ 1 Bullet 2]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b)
    {be responsible}{be accurate}The governing body should ensure that the organizational risk framework, in respect to the management of risk: mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). § 6.9.3.2 ¶ 2 h)
    {positive impact}The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the organization's positive and negative impacts on these systems. § 6.11.3.3 ¶ 1 c)
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)
    {social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's impact on stakeholders; § 6.3.3.1.1 ¶ 2 h)
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and Risk Management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Investigate Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and Risk Management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Actionable Reports or Measurements Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and Risk Management Detective
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [{positive impact}Responsible stewardship — The organization: effectively balances positive and negative impacts; § 5 ¶ 2 b) 2)
    The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the risk appetite, which involves setting risk criteria and associated limits; § 6.9.3.2 ¶ 2 g)
    The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: balances the achievement of the value generation objectives against potential impacts; § 6.2.3.3 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Investigate Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the choice of risk treatments is consistent with governance policies; § 6.9.3.4 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Behavior Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Establish/Maintain Documentation Detective
    Document the results of the gap analysis. CC ID 16271 Establish/Maintain Documentation Preventive
    Prioritize and select controls based on the risk assessment findings. CC ID 00707 Audits and Risk Management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Process or Activity Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Process or Activity Detective
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and Risk Management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601 Testing Detective
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and Risk Management Preventive
    Establish, implement, and maintain a risk treatment plan. CC ID 11983
    [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Establish/Maintain Documentation Preventive
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and Risk Management Preventive
    Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 Audits and Risk Management Preventive
    Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 Audits and Risk Management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Establish/Maintain Documentation Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Establish/Maintain Documentation Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Establish/Maintain Documentation Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Establish/Maintain Documentation Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Establish/Maintain Documentation Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Establish/Maintain Documentation Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Establish/Maintain Documentation Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Establish/Maintain Documentation Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Establish/Maintain Documentation Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 Communicate Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and Risk Management Preventive
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 Establish/Maintain Documentation Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b)
    The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)]
    Establish/Maintain Documentation Corrective
    Review and approve the risk assessment findings. CC ID 06485
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Include risk responses in the risk management program. CC ID 13195 Establish/Maintain Documentation Preventive
    Document residual risk in a residual risk report. CC ID 13664 Establish/Maintain Documentation Corrective
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 Business Processes Preventive
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Establish/Maintain Documentation Preventive
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Establish/Maintain Documentation Preventive
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Business Processes Preventive
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and Risk Management Detective
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and Risk Management Detective
    Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 Audits and Risk Management Preventive
    Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 Establish/Maintain Documentation Preventive
    Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 Establish/Maintain Documentation Preventive
    Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 Communicate Preventive
    Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 Communicate Preventive
    Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 Establish/Maintain Documentation Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Establish/Maintain Documentation Preventive
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Establish/Maintain Documentation Preventive
    Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 Communicate Preventive
    Evaluate the cyber insurance market. CC ID 12695 Business Processes Preventive
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Business Processes Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Business Processes Preventive
    Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 Establish/Maintain Documentation Preventive
    Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Establish/Maintain Documentation Preventive
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Establish/Maintain Documentation Preventive
    Include management commitment in the supply chain risk management policy. CC ID 14709 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Establish/Maintain Documentation Preventive
    Include the scope in the supply chain risk management policy. CC ID 14707 Establish/Maintain Documentation Preventive
    Include the purpose in the supply chain risk management policy. CC ID 14706 Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Communicate Preventive
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Establish/Maintain Documentation Preventive
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Establish/Maintain Documentation Preventive
    Include dates in the supply chain risk management plan. CC ID 15617 Establish/Maintain Documentation Preventive
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Establish/Maintain Documentation Preventive
    Include supply chain risk management procedures in the risk management program. CC ID 13190 Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Communicate Preventive
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Human Resources Management Preventive
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Process or Activity Detective
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Communicate Preventive
  • Human Resources management
    226
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806
    [{be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2]
    Establish Roles Preventive
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 Establish Roles Preventive
    Establish, implement, and maintain a security operations center. CC ID 14762 Human Resources Management Preventive
    Define the scope for the security operations center. CC ID 15713 Establish/Maintain Documentation Preventive
    Designate an alternate for each organizational leader. CC ID 12053 Human Resources Management Preventive
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Behavior Preventive
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 Human Resources Management Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
    [The governing body can delegate but still remains accountable for what it has delegated and always remains responsible for the organization as a whole. § 4.2.2 ¶ 1
    The governing body should establish governance policies and ensure that these: clarify the manner in which the governing body itself is to operate and govern the organization; § 6.3.3.1.2 ¶ 1 f)
    {individual}{hold accountable} The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. § 6.5.3.1 ¶ 1
    Governance is exercised throughout the organization by governing groups, including: the governing body; § 4.2.1 ¶ 1 Bullet 2
    At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in this document. § 4.3.1 ¶ 3
    {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. Table 1 Column 4 Row 6
    The governing body should engage with strategic planning by: establishing clarity about its role in the strategic planning process; § 6.3.3.2.1 ¶ 1 a)
    The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. § 6.1.3.4 ¶ 1
    {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. § 6.5.1 ¶ 1
    Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)]
    Establish Roles Preventive
    Establish and maintain board committees, as necessary. CC ID 14789
    [The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)]
    Human Resources Management Preventive
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Establish/Maintain Documentation Preventive
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources Management Preventive
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782
    [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: capacity; § 4.3.1 ¶ 1 Bullet 4
    The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: probity; § 4.3.1 ¶ 1 Bullet 5
    The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: commitment. § 4.3.1 ¶ 1 Bullet 6
    The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: § 4.3.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791
    [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: diversity and inclusion; § 4.3.1 ¶ 1 Bullet 2]
    Establish/Maintain Documentation Preventive
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources Management Preventive
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources Management Preventive
    Assign senior management to the role of authorizing official. CC ID 14238 Establish Roles Preventive
    Assign members who are independent from management to the Board of Directors. CC ID 12395
    [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: independence of thought and action; § 4.3.1 ¶ 1 Bullet 3]
    Human Resources Management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662
    [The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1
    The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1
    To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: oversee the organization's risk management activities. § 6.9.3.1 ¶ 2 c)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: § 6.9.3.4 ¶ 1]
    Human Resources Management Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources Management Preventive
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources Management Corrective
    Define and assign board committees, as necessary. CC ID 14787 Human Resources Management Preventive
    Define and assign risk committees, as necessary. CC ID 14795 Human Resources Management Preventive
    Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 Establish/Maintain Documentation Preventive
    Define and assign audit committees, as necessary. CC ID 14788 Human Resources Management Preventive
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 Human Resources Management Preventive
    Define and assign compensation committees, as necessary. CC ID 14793 Human Resources Management Preventive
    Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 Establish Roles Preventive
    Define and assign the network administrator's roles and responsibilities. CC ID 16363 Human Resources Management Preventive
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 Establish Roles Preventive
    Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 Human Resources Management Preventive
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810 Establish Roles Preventive
    Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 Establish Roles Preventive
    Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 Human Resources Management Preventive
    Define and assign roles and responsibilities for network management. CC ID 13128 Human Resources Management Preventive
    Define and assign the technology security leader's roles and responsibilities. CC ID 01897 Establish Roles Preventive
    Define and assign the security staff roles and responsibilities. CC ID 11750 Establish/Maintain Documentation Preventive
    Define and assign the authorized representatives roles and responsibilities. CC ID 15033 Human Resources Management Preventive
    Define and assign the property management leader's roles and responsibilities. CC ID 00669 Establish Roles Preventive
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 Establish Roles Preventive
    Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 Establish Roles Preventive
    Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 Establish Roles Preventive
    Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 Establish/Maintain Documentation Preventive
    Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 Establish Roles Preventive
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources Management Preventive
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources Management Preventive
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources Management Preventive
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources Management Preventive
    Assign a contact person to all business units. CC ID 07144 Establish Roles Preventive
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Business Processes Preventive
    Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 Human Resources Management Preventive
    Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 Human Resources Management Preventive
    Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 Human Resources Management Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267
    ["Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters. The governing body should ensure the clarity of roles and responsibilities of all involved and hold accountable those to whom they delegate. § 4.2.3 ¶ 1]
    Human Resources Management Preventive
    Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 Human Resources Management Preventive
    Assign roles and responsibilities for physical security, as necessary. CC ID 13113 Establish Roles Preventive
    Document the use of external experts. CC ID 16263 Human Resources Management Preventive
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660
    [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; § 6.9.3.2 ¶ 2 a)]
    Human Resources Management Preventive
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources Management Preventive
    Assign the roles and responsibilities for the change control program. CC ID 13118 Human Resources Management Preventive
    Identify and define all critical roles. CC ID 00777 Establish Roles Preventive
    Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 Establish Roles Preventive
    Assign responsibility for cyber threat intelligence. CC ID 12746 Human Resources Management Preventive
    Assign the role of security management to applicable controls. CC ID 06444 Establish Roles Preventive
    Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 Human Resources Management Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607 Human Resources Management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 Human Resources Management Preventive
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Communicate Preventive
    Define and assign the data controller's roles and responsibilities. CC ID 00471 Establish Roles Preventive
    Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 Human Resources Management Preventive
    Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 Human Resources Management Preventive
    Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 Human Resources Management Preventive
    Assign the role of data controller to applicable controls. CC ID 00354 Establish Roles Preventive
    Assign the role of data controller to provide advice, when requested. CC ID 12611 Human Resources Management Preventive
    Assign the role of data controller to additional personnel, as necessary. CC ID 00473 Establish Roles Preventive
    Assign the role of Information Technology operations to applicable controls. CC ID 00682 Establish Roles Preventive
    Assign the role of logical access control to applicable controls. CC ID 00772 Establish Roles Preventive
    Assign the role of asset physical security to applicable controls. CC ID 00770 Establish Roles Preventive
    Assign the role of data custodian to applicable controls. CC ID 04789 Establish Roles Preventive
    Assign the role of the Quality Management committee to applicable controls. CC ID 00769 Establish Roles Preventive
    Assign interested personnel to the Quality Management committee. CC ID 07193 Establish Roles Preventive
    Assign the roles and responsibilities for the asset management system. CC ID 14368 Establish/Maintain Documentation Preventive
    Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 Establish Roles Preventive
    Assign the role of fire protection management to applicable controls. CC ID 04891 Establish Roles Preventive
    Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 Establish Roles Preventive
    Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 Establish Roles Preventive
    Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 Establish Roles Preventive
    Define and assign the roles and responsibilities of security guards. CC ID 12543 Human Resources Management Preventive
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626 Human Resources Management Preventive
    Define and assign the roles for Legal Support Workers. CC ID 13711 Human Resources Management Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822
    [The governing body should steer the organizational strategy by means of: succession planning for the critical roles in the organization, including emergency succession arrangements; § 6.3.3.2.2 ¶ 2 f)]
    Human Resources Management Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: competence (relevant knowledge and understanding, skills and experience); § 4.3.1 ¶ 1 Bullet 1
    The governing body should: ensure it has the right combination of knowledge, skills and experience to understand the operations of the organization and the markets in which it operates; § 4.3.2 ¶ 2 a)
    The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: § 4.3.1 ¶ 1
    {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2]
    Testing Detective
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources Management Detective
    Assign security clearance procedures to qualified personnel. CC ID 06812 Establish Roles Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Establish Roles Preventive
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758 Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources Management Preventive
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Communicate Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources Management Preventive
    Document the personnel risk assessment results. CC ID 11764 Establish/Maintain Documentation Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Establish/Maintain Documentation Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources Management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources Management Preventive
    Establish and maintain security clearances. CC ID 01634 Human Resources Management Preventive
    Document the security clearance procedure results. CC ID 01635 Establish/Maintain Documentation Detective
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764
    [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: authority matches the level of responsibility, which includes the autonomy to make and fulfil plans to achieve the agreed outcomes within the established parameters; § 4.2.2 ¶ 2 c)
    Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: the authority matches the level of responsibility associated with the decisions being made; § 6.8.3.2.2 ¶ 1 a)
    Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. § 4.2.2 ¶ 5
    Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: § 6.8.3.2.2 ¶ 1
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Establish Roles Preventive
    Document and communicate role descriptions to all applicable personnel. CC ID 00776 Establish Roles Detective
    Assign and staff all roles appropriately. CC ID 00784 Testing Detective
    Delegate authority for specific processes, as necessary. CC ID 06780
    [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: § 4.2.2 ¶ 2
    {be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2
    The governing body should engage with strategic planning by: delegating as necessary; § 6.3.3.2.1 ¶ 1 b)
    The governing body should ensure that effective delegation is practised (see 4.2.2), as this is necessary for accountability. § 6.5.3.1 ¶ 2]
    Behavior Preventive
    Implement a staff rotation plan. CC ID 12772 Human Resources Management Preventive
    Rotate duties amongst the critical roles and positions. CC ID 06554 Establish Roles Preventive
    Place Information Technology operations in a position to support the business model. CC ID 00766 Business Processes Preventive
    Review organizational personnel successes. CC ID 00767 Business Processes Preventive
    Implement personnel supervisory practices. CC ID 00773 Behavior Preventive
    Implement segregation of duties in roles and responsibilities. CC ID 00774 Testing Detective
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960
    [{be different} The degree of separation of duties between the governing body and managers varies according to organizational needs and circumstances. In certain circumstances, such as an executive member of the governing body, an individual can be required to fulfil both governance and management responsibilities. In such cases, it is important for that person to be able to distinguish when they are fulfilling the different responsibilities and act and behave accordingly. § 4.2.3 ¶ 2]
    Technical Security Preventive
    Evaluate the staffing requirements regularly. CC ID 00775 Business Processes Detective
    Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779
    [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: collaborative relationships with relevant stakeholders are maintained; § 6.6.3 ¶ 3 c)
    Ethical and effective leadership should be demonstrated in three areas: the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. § 6.7.3.1 ¶ 4 c)
    Within the organization's external context: The governing body should ensure that the organization treats stakeholders in a manner consistent with its organizational values. § 6.7.3.3 ¶ 1 c)
    In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the quality and nature of stakeholder relationships and effectiveness of stakeholder engagement; § 6.3.3.1.1 ¶ 2 g)
    When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. § 6.6.3 ¶ 2]
    Behavior Preventive
    Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806
    [{be fair}{be responsible}{be transparent}The governing body should steer the organizational strategy by means of: the organization's approach to compensation, ensuring that compensation is, and remains, fair, responsible and transparent; § 6.3.3.2.2 ¶ 2 h)]
    Human Resources Management Preventive
    Establish and maintain an annual report on compensation. CC ID 14801 Establish/Maintain Documentation Preventive
    Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 Establish/Maintain Documentation Preventive
    Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 Communicate Preventive
    Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 Establish/Maintain Documentation Preventive
    Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794
    [The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)]
    Establish/Maintain Documentation Preventive
    Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815
    [The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)]
    Human Resources Management Preventive
    Establish, implement, and maintain an occupational health and safety management system. CC ID 16201 Business Processes Preventive
    Establish, implement, and maintain an occupational health and safety policy. CC ID 00716
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)]
    Establish/Maintain Documentation Preventive
    Involve interested personnel and affected parties in occupational health and safety management system processes. CC ID 16274 Business Processes Preventive
    Disseminate and communicate the occupational health and safety policy to interested personnel and affected parties. CC ID 16270 Communicate Preventive
    Include a commitment to continuous improvement in the occupational health and safety policy. CC ID 16267 Establish/Maintain Documentation Preventive
    Include risks and opportunities in the occupational health and safety policy. CC ID 16287 Establish/Maintain Documentation Preventive
    Include management commitment in the occupational health and safety policy. CC ID 16264 Behavior Preventive
    Include occupational health and safety objectives in the occupational health and safety policy. CC ID 16262 Establish/Maintain Documentation Preventive
    Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073 Establish/Maintain Documentation Preventive
    Maintain a 1 to 2 day supply of water and nonperishable food at the facility in case public utilities are interrupted. CC ID 06074 Physical and Environmental Protection Preventive
    Install duress alarms in susceptible public areas. CC ID 06075 Physical and Environmental Protection Preventive
    Require regular vacations for personnel using restricted information or sensitive information. CC ID 06550 Human Resources Management Preventive
    Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802 Establish/Maintain Documentation Preventive
    Provide protective face masks for critical personnel, as necessary. CC ID 06803 Human Resources Management Preventive
    Establish, implement, and maintain food preparation procedures. CC ID 06804 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain food handling procedures. CC ID 11765 Establish/Maintain Documentation Preventive
    Vaccinate critical employees, as necessary. CC ID 06805 Human Resources Management Preventive
    Protect personnel from work-related intimidation. CC ID 07046 Behavior Preventive
    Establish, implement, and maintain a travel program for all personnel. CC ID 10597 Human Resources Management Preventive
    Establish, implement, and maintain a process to identify any potential health hazards, environmental hazards, or safety hazards, that could affect personnel while traveling internationally. CC ID 06076 Human Resources Management Preventive
    Refrain from using gifted mobile devices. CC ID 16460 Acquisition/Sale of Assets or Services Preventive
    Refrain from loaning mobile devices to unauthorized personnel. CC ID 15218 Business Processes Preventive
    Issue devices with secure configurations to individuals traveling to locations deemed to be of risk. CC ID 10598 Configuration Preventive
    Scan devices for malicious code when an individual returns from locations deemed to be of risk. CC ID 10599 Process or Activity Detective
    Establish, implement, and maintain a conflict of interest policy. CC ID 14785
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: consider its level of independence and the effect this level has on its decision-making, including financial interests, position, associations, relationships, bias and alliances; § 6.8.3.2.1 ¶ 1 c)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: carefully address conflicts of interest when making decisions; § 6.8.3.2.1 ¶ 1 d)
    Disclose actual, potential or perceived conflicts of interest at the earliest opportunity and manage such conflicts appropriately. Table 2 Column 2 Row 2 Bullet 2]
    Establish/Maintain Documentation Preventive
    Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 Establish/Maintain Documentation Preventive
    Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 Communicate Preventive
    Include roles and responsibilities in the conflict of interest policy. CC ID 14790 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Code of Conduct. CC ID 04897
    [Ethical leadership results in an organizational context and culture that: contributes to the prevention of misconduct; § 6.7.3.3 ¶ 3 Bullet 3
    Act in good faith and in the best interest of the organization. Table 2 Column 2 Row 2 Bullet 1
    {be ethical} Act ethically and in a compliant manner. Table 2 Column 2 Row 2 Bullet 3
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: § 5 ¶ 2 c)
    Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4
    The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a code of conduct for financial recommendations. CC ID 16649 Establish/Maintain Documentation Preventive
    Include anti-coercion requirements and anti-tying requirements in the Code of Conduct. CC ID 16720 Establish/Maintain Documentation Preventive
    Include limitations on referrals for products and services in the Code of Conduct. CC ID 16719 Behavior Preventive
    Include classifications of ethics violations in the Code of Conduct. CC ID 14769 Establish/Maintain Documentation Preventive
    Include definitions of ethics violations in the Code of Conduct. CC ID 14768 Establish/Maintain Documentation Preventive
    Include exercising due professional care in the Code of Conduct. CC ID 14210
    [Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. Table 2 Column 2 Row 3 Bullet 2
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include health and safety provisions in the Code of Conduct. CC ID 16206 Establish/Maintain Documentation Preventive
    Include organizational values in the Code of Conduct. CC ID 12919
    [Within the organization: The governing body should ensure that the organization conducts itself in a manner consistent with its organizational values. § 6.7.3.3 ¶ 1 b)
    Laws and rules provide the minimum set of organizational values against which behaviour is assessed. Other organizational values (see 6.1) are provided in collectively agreed documents such as a code of conduct, code of ethics or standards of behaviour. The following are examples of the leadership values to which governing bodies, and the individuals comprising them, are held: § 6.7.3.3 ¶ 2
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. § 6.1.3.4 ¶ 3]
    Process or Activity Preventive
    Include key policies in the Code of Conduct. CC ID 12890 Establish/Maintain Documentation Preventive
    Include responsibilities to the public trust in the Code of Conduct. CC ID 14209 Establish/Maintain Documentation Preventive
    Include the vision statement in the Code of Conduct. CC ID 12889 Establish/Maintain Documentation Preventive
    Include the organization's mission in the Code of Conduct. CC ID 12875 Establish/Maintain Documentation Preventive
    Include classifications of desired conduct in the Code of Conduct. CC ID 12851 Establish/Maintain Documentation Preventive
    Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 Human Resources Management Preventive
    Include environmental responsibility criteria in the Code of Conduct. CC ID 16209 Establish/Maintain Documentation Preventive
    Include social responsibility criteria in the Code of Conduct. CC ID 16210 Establish/Maintain Documentation Preventive
    Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment. CC ID 04580 Establish/Maintain Documentation Preventive
    Include labor rights criteria in the Code of Conduct. CC ID 16208 Establish/Maintain Documentation Preventive
    Include the employee's legal responsibilities and rights in the Terms and Conditions of employment. CC ID 15701 Establish/Maintain Documentation Preventive
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [{be ethical}{be effective} Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. § 6.7.3.4 ¶ 3
    {be ethical}{be effective} Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. § 6.7.3.4 ¶ 3]
    Behavior Corrective
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 Communicate Preventive
    Include the legal intellectual property responsibilities in the Code of Conduct. CC ID 04898 Establish/Maintain Documentation Detective
    Include definitions of desirable conduct in the Code of Conduct. CC ID 12846 Establish/Maintain Documentation Preventive
    Include notification procedures for allegations of undesirable conduct in the Code of Conduct. CC ID 12855 Establish/Maintain Documentation Preventive
    Include procedures to identify positive outcomes in the Code of Conduct. CC ID 12854 Establish/Maintain Documentation Preventive
    Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 Behavior Preventive
    Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. CC ID 06664 Establish/Maintain Documentation Preventive
    Require all personnel to re-sign the Code of Conduct, as necessary. CC ID 06666 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain performance reviews. CC ID 14777
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)]
    Business Processes Detective
    Include the information security responsibilities of employees in their performance objectives. CC ID 15700 Human Resources Management Preventive
    Include information security responsibilities in performance reviews. CC ID 15697 Establish/Maintain Documentation Preventive
    Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783 Human Resources Management Detective
    Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799 Human Resources Management Preventive
    Conduct staff performance reviews, as necessary. CC ID 07205
    [{individual}The governing body should steer the organizational strategy by means of: monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; § 6.3.3.2.2 ¶ 2 g)]
    Business Processes Detective
    Analyze the documentation produced by staff during the performance review. CC ID 07207 Establish/Maintain Documentation Detective
    Establish, implement, and maintain an ethics program. CC ID 11496
    [When defining the organizational values, the governing body should ensure that: it is clear what ethical behaviour is expected as a result of the organizational values; § 6.1.3.3 ¶ 1 b)
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b)
    The governing body should ensure ethical leadership across all areas. § 6.7.3.3 ¶ 1]
    Human Resources Management Preventive
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858
    [Disclose actual, potential or perceived conflicts of interest at the earliest opportunity and manage such conflicts appropriately. Table 2 Column 2 Row 2 Bullet 2]
    Communicate Preventive
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908
    [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: competence and probity in the manner in which it makes decisions. § 5 ¶ 2 c) 5)]
    Behavior Preventive
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Investigate Preventive
    Establish, implement, and maintain an ethical culture. CC ID 12781
    [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: an ethical culture; § 5 ¶ 2 c) 1)
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: fairness in the treatment of, and engagement with, stakeholders; § 5 ¶ 2 c) 3)]
    Behavior Preventive
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Monitor and Evaluate Occurrences Preventive
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872
    [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: integrity and transparency in fulfilling its obligations, and commitments; § 5 ¶ 2 c) 4)
    When defining the organizational values, the governing body should ensure that: the expected ethical behaviour can be assessed; § 6.1.3.3 ¶ 1 c)]
    Monitor and Evaluate Occurrences Preventive
    Refrain from practicing false advertising. CC ID 14253 Business Processes Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806
    [To ensure that the organization is acting in a socially responsible way, the governing body should: steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); § 6.10.3 ¶ 1 f)
    Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5]
    Business Processes Preventive
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Communicate Preventive
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Establish/Maintain Documentation Preventive
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Behavior Preventive
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Behavior Preventive
    Respond to ethics complaints of ethics violations. CC ID 11497 Business Processes Corrective
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Behavior Preventive
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 Human Resources Management Preventive
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources Management Preventive
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources Management Preventive
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Establish Roles Preventive
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Behavior Preventive
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Behavior Preventive
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Behavior Preventive
  • Leadership and high level objectives
    477
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a reporting methodology program. CC ID 02072
    [The governing body should: set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; § 4.3.2 ¶ 2 c)
    The governing body should: determine the most appropriate reporting methodologies for the organization, given the expectations of its relevant stakeholders; § 6.5.3.2 ¶ 2 Bullet 1
    The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: reporting is coherent so that stakeholders can effectively assess the organization's governance arrangements (see 6.5.3). § 6.6.3 ¶ 3 f)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: report on historic actions and outcomes, as well as future intentions. § 6.5.3.2 ¶ 1 h)
    {be complete}{be understandable}{be responsive}{be accurate}{be timely}The governing body should: ensure that reported information and disclosed information are material, complete, understandable, responsive, accurate, balanced and timely; § 6.5.3.2 ¶ 2 Bullet 2]
    Business Processes Preventive
    Establish, implement, and maintain communication protocols. CC ID 12245
    [The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: an open and transparent communication culture within the organization is created and maintained to help bridge the gap between diverse stakeholder groups and varying perspectives based on, for example, gender, age, belief systems or cognitive abilities; § 6.6.3 ¶ 3 e)
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5]
    Establish/Maintain Documentation Preventive
    Use secure communication protocols for telecommunications. CC ID 16458 Business Processes Preventive
    Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419
    [{be within}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: are transparent but also within the limits of confidentiality; § 6.5.3.2 ¶ 1 f)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Establish/Maintain Documentation Preventive
    Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 Process or Activity Detective
    Include external requirements in the organization's communication protocol. CC ID 12418 Establish/Maintain Documentation Preventive
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Communicate Preventive
    Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417
    [When defining the organizational values, the governing body should ensure that: all relevant stakeholders are engaged; § 6.1.3.3 ¶ 1 a)
    For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Improvements should be applied as the result of feedback from reporting, disclosure and dialogue activities. § 6.5.3.2 ¶ 3
    The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. § 6.6.1 ¶ 1
    The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    {stakeholder engagement process}To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); § 6.10.3 ¶ 1 a)
    To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when establishing and reviewing governance policies; § 6.10.3 ¶ 1 e)
    The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. Table 1 Column 4 Row 7
    {be responsible}{be accurate}The governing body should ensure that the organizational risk framework, in respect to the management of risk: mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). § 6.9.3.2 ¶ 2 h)
    The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: relevant stakeholders are engaged in achieving the organizational purpose via its organizational strategy; § 6.6.3 ¶ 3 a)
    To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; § 6.10.3 ¶ 1 d)
    {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 Process or Activity Preventive
    Identify barriers to stakeholder engagement. CC ID 15676 Process or Activity Preventive
    Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 Communicate Preventive
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Communicate Preventive
    Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 Process or Activity Preventive
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Communicate Preventive
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Communicate Preventive
    Route notifications, as necessary. CC ID 12832 Process or Activity Preventive
    Substantiate notifications, as necessary. CC ID 12831 Process or Activity Preventive
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Business Processes Preventive
    Prioritize notifications, as necessary. CC ID 12830 Process or Activity Preventive
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797
    [{be appropriate}When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: outputs, outcomes and the processes to achieve the responsibilities are periodically reported and presented with evidence that actions taken are reasonable and appropriate; § 4.2.2 ¶ 2 d)
    The governing body should: report on the process and outcomes of assessments to relevant stakeholders (see 6.5.3). § 4.3.2 ¶ 2 e)
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: accountability through accurate and timely reporting on its performance and stewardship of resources; § 5 ¶ 2 c) 2)
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: accountability through accurate and timely reporting on its performance and stewardship of resources; § 5 ¶ 2 c) 2)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: § 6.5.3.2 ¶ 1 c)
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Actionable Reports or Measurements Preventive
    Disseminate and communicate internal controls with supply chain members. CC ID 12416 Communicate Preventive
    Establish and maintain the organization's survey method. CC ID 12869 Process or Activity Preventive
    Document the findings from surveys. CC ID 16309 Establish/Maintain Documentation Preventive
    Provide a consolidated view of information in the organization's survey method. CC ID 12894 Process or Activity Preventive
    Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 Establish/Maintain Documentation Preventive
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain an internal reporting program. CC ID 12409
    [{individual}To exercise effective oversight, the governing body should: require those to whom they have delegated to provide timely and accurate reports on all material aspects of the management of the organization; § 6.4.3.1 ¶ 1 a)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Business Processes Preventive
    Include transactions and events as a part of internal reporting. CC ID 12413 Business Processes Preventive
    Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; § 6.5.3.2 ¶ 1 b) 2)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the way in which the organization's performance was achieved and whether this performance was reasonable given the organization's changing context governance policies, including organizational values; § 6.5.3.2 ¶ 1 c) 2)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)]
    Communicate Preventive
    Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 Establish/Maintain Documentation Preventive
    Define the thresholds for escalation in the internal reporting program. CC ID 14332 Establish/Maintain Documentation Preventive
    Define the thresholds for reporting in the internal reporting program. CC ID 14331 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an external reporting program. CC ID 12876 Communicate Preventive
    Provide identifying information about the organization to the responsible party. CC ID 16715 Communicate Preventive
    Identify the material topics required to be reported on. CC ID 15654 Business Processes Preventive
    Check the list of material topics for completeness. CC ID 15692 Investigate Preventive
    Prioritize material topics used in reporting. CC ID 15678 Communicate Preventive
    Review and approve the material topics, as necessary. CC ID 15670 Process or Activity Preventive
    Define the thresholds for reporting in the external reporting program. CC ID 15679 Establish/Maintain Documentation Preventive
    Include time requirements in the external reporting program. CC ID 16566 Communicate Preventive
    Include information about the organizational culture in the external reporting program. CC ID 15610
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the organizational culture, including the organizational behaviour and perceptions of the organization's behaviour provided by relevant stakeholders; § 6.5.3.2 ¶ 1 c) 5)]
    Establish/Maintain Documentation Preventive
    Include reporting to governing bodies in the external reporting plan. CC ID 12923 Communicate Preventive
    Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 Communicate Preventive
    Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 Establish/Maintain Documentation Preventive
    Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 Establish/Maintain Documentation Preventive
    Include the information that was omitted in the confidential treatment application. CC ID 16593 Establish/Maintain Documentation Preventive
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: characteristics of the organization such as organizational type, structure, size, interdependencies, complexity, culture and its expected future progression; § 5 ¶ 5 Bullet 4
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b)]
    Monitor and Evaluate Occurrences Preventive
    Develop instructions for setting organizational objectives and strategies. CC ID 12931 Establish/Maintain Documentation Preventive
    Analyze the business environment in which the organization operates. CC ID 12798
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: § 5 ¶ 5
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; § 6.1.3.2 ¶ 1 a)
    Take steps to become appropriately informed of all aspects of the organization and the context within which it operates (such as legal, natural environment, social, economic, technical and personnel). Table 2 Column 2 Row 3 Bullet 1]
    Business Processes Preventive
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Process or Activity Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Process or Activity Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Process or Activity Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942
    [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's need for, and access to, resources, including financial resources; § 6.3.3.1.1 ¶ 2 f)]
    Process or Activity Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Process or Activity Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Process or Activity Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Process or Activity Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: value generation model and organizational strategy; § 5 ¶ 5 Bullet 5]
    Process or Activity Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936
    [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: organizational capabilities and opportunities. § 6.1.3.2 ¶ 1 e)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)]
    Process or Activity Preventive
    Align assets with business functions and the business environment. CC ID 13681 Business Processes Preventive
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Communicate Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Monitor and Evaluate Occurrences Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)]
    Monitor and Evaluate Occurrences Preventive
    Analyze the external environment in which the organization operates. CC ID 12799
    [Responsible stewardship — The organization: considers the global context; § 5 ¶ 2 b) 3)
    {social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e)]
    Business Processes Preventive
    Identify the external forces that may affect organizational objectives. CC ID 12960
    [The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the relevant external systems on which the organization depends; § 6.11.3.3 ¶ 1 a)]
    Process or Activity Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Monitor and Evaluate Occurrences Preventive
    Include environmental requirements in the analysis of the external environment. CC ID 12965
    [While not defined as stakeholders, the natural environment and society as a whole should also be considered by the governing body in its decision-making because they affect or will be affected by the organization's activities. § 4.2.5 ¶ 2
    {legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Business Processes Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)]
    Monitor and Evaluate Occurrences Preventive
    Include regulatory requirements in the analysis of the external environment. CC ID 12964
    [{legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Business Processes Preventive
    Include society in the analysis of the external environment. CC ID 12963
    [While not defined as stakeholders, the natural environment and society as a whole should also be considered by the governing body in its decision-making because they affect or will be affected by the organization's activities. § 4.2.5 ¶ 2
    {legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Business Processes Preventive
    Include opportunities in the analysis of the external environment. CC ID 12954 Business Processes Preventive
    Include third party relationships in the analysis of the external environment. CC ID 12952 Business Processes Preventive
    Include industry forces in the analysis of the external environment. CC ID 12904
    [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)]
    Business Processes Preventive
    Include threats in the analysis of the external environment. CC ID 12898
    [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: important issues including global threats that evolve over time (e.g. climate change); § 6.1.3.2 ¶ 1 c)]
    Business Processes Preventive
    Include geopolitics in the analysis of the external environment. CC ID 12897 Business Processes Preventive
    Include legal requirements in the analysis of the external environment. CC ID 12896 Business Processes Preventive
    Include technology in the analysis of the external environment. CC ID 12837
    [{social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Business Processes Preventive
    Include analyzing the market in the analysis of the external environment. CC ID 12836
    [{legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Business Processes Preventive
    Conduct a context analysis to define objectives and strategies. CC ID 12864
    [Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to follow, including the parameters within which the organization is to do so. These expectations should be set mindfully and intentionally, considering the context within which the organization operates. § 6.7.3.1 ¶ 1
    {internal context} When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: § 6.3.3.1.1 ¶ 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Business Processes Preventive
    Establish, implement, and maintain organizational objectives. CC ID 09959
    [Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to follow, including the parameters within which the organization is to do so. These expectations should be set mindfully and intentionally, considering the context within which the organization operates. § 6.7.3.1 ¶ 1
    Within the organization: The organization should fulfil the expectations set by the governing body. § 6.7.3.2 ¶ 1 b)
    {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1
    The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. § 6.3.3.1.1 ¶ 1
    Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Process or Activity Preventive
    Identify events that may affect organizational objectives. CC ID 12961 Process or Activity Preventive
    Identify conditions that may affect organizational objectives. CC ID 12958
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: intended strategic outcomes; § 6.9.3.2 ¶ 2 d) 6)]
    Process or Activity Preventive
    Identify requirements that could affect achieving organizational objectives. CC ID 12828
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: commitments and obligations associated with organizational activities and value generation processes; § 5 ¶ 5 Bullet 6]
    Business Processes Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826
    [New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: valuable opportunities are leveraged; § 6.8.3.4 ¶ 1 Bullet 2
    To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that issues and opportunities affecting stakeholder expectations are identified and articulated (see 6.9); § 6.10.3 ¶ 1 b)
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: organizational capabilities and opportunities. § 6.1.3.2 ¶ 1 e)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: potential opportunities for innovation. § 6.3.3.1.1 ¶ 2 k)
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: important issues including global threats that evolve over time (e.g. climate change); § 6.1.3.2 ¶ 1 c)]
    Business Processes Preventive
    Prioritize organizational objectives. CC ID 09960
    [{social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1]
    Business Processes Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Business Processes Preventive
    Establish, implement, and maintain a value generation model. CC ID 15591
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: value generation model and organizational strategy; § 5 ¶ 5 Bullet 5
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the value generation model; § 6.9.3.2 ¶ 2 d) 5)
    The governing body should ensure that an overarching value generation model is determined for the organization and is appropriately communicated. § 6.2.3.1 ¶ 1
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a)
    Therefore, the governing body should: ensure that interactions and dependencies within the organization's value generation model are articulated in an integrated manner; § 6.11.3.1 ¶ 2 a)
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3
    The governing body should ensure that the organization's value generation model (see 6.2): describes how the organization's key structures, processes, relationships, information, decision-making, reporting and other aspects inter-relate and are used to generate value over time. § 6.11.3.2 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607
    [The governing body should ensure that an overarching value generation model is determined for the organization and is appropriately communicated. § 6.2.3.1 ¶ 1
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)]
    Communicate Preventive
    Include value distribution in the value generation model. CC ID 15603
    [{procedure}This value generation model should clarify: how the value generated is to be retained and distributed (sustain). § 6.2.3.1 ¶ 2 Bullet 4
    {be viable} The governing body should ensure that value is retained and distributed in a manner that ensures that the organization is agile, viable over time and achieves its value generation objectives. § 6.2.3.5 ¶ 1
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Establish/Maintain Documentation Preventive
    Include value retention in the value generation model. CC ID 15600
    [{procedure}This value generation model should clarify: how the value generated is to be retained and distributed (sustain). § 6.2.3.1 ¶ 2 Bullet 4
    {be viable} The governing body should ensure that value is retained and distributed in a manner that ensures that the organization is agile, viable over time and achieves its value generation objectives. § 6.2.3.5 ¶ 1
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Establish/Maintain Documentation Preventive
    Include value generation procedures in the value generation model. CC ID 15599
    [{procedure}This value generation model should clarify: how the organization should generate that value (create); § 6.2.3.1 ¶ 2 Bullet 2
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    {procedure}This value generation model should clarify: how the generation of value will be assured (deliver); § 6.2.3.1 ¶ 2 Bullet 3]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain value generation objectives. CC ID 15583
    [Effective performance — The organization: generates value for stakeholders; § 5 ¶ 2 a) 3)
    {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1
    Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: determining the organization's approach to value generation; § 4.1 ¶ 3 b)
    {social context}{economic context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social, and economic context within which it operates. Table 1 Column 4 Row 3
    {social context}{economic context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. § 6.2.1 ¶ 1
    This value generation model should clarify: what value the organization is intending to generate (define); § 6.2.3.1 ¶ 2 Bullet 1
    {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: § 6.2.3.4 ¶ 1
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the defined value generation objectives; § 6.3.3.1.1 ¶ 2 d)
    The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so that the generation of value in the present context is balanced with the innovation required to generate value in the future. § 6.3.3.2.2 ¶ 1
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: assurance is obtained on the realization of the value generation objectives. § 6.2.3.4 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain social responsibility objectives. CC ID 15611
    [The governing body should ensure that the organization considers undertaking specific measures to contribute to the wellbeing of society. Philanthropy can have a positive impact on society. However, it should not be used by an organization as a substitute for integrating social responsibility into the organization (see ISO 26000:2010, 3.3.4). § 6.10.3 ¶ 3
    The governing body should ensure that the organization considers undertaking specific measures to contribute to the wellbeing of society. Philanthropy can have a positive impact on society. However, it should not be used by an organization as a substitute for integrating social responsibility into the organization (see ISO 26000:2010, 3.3.4). § 6.10.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783
    [{be dynamic}{be sensitive}The governing body should ensure that: the organizational purpose remains dynamic and sensitive to the changing context within which the organization operates. § 6.1.3.2 ¶ 2 Bullet 4
    When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: organizational purpose and organizational values; § 5 ¶ 5 Bullet 1
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the organizational purpose; § 6.9.3.2 ¶ 2 d) 3)
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the organizational values; § 6.9.3.2 ¶ 2 d) 4)
    Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: setting and committing to the organizational purpose and organizational values; § 4.1 ¶ 3 a)
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    Effective performance — The organization: is true to its purpose; § 5 ¶ 2 a) 1)]
    Establish/Maintain Documentation Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Establish/Maintain Documentation Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838
    [{member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1
    To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the organizational purpose expresses the organization's approach to stakeholders; § 6.10.3 ¶ 1 c)
    The governing body should ensure that: the essence of the organizational purpose is documented in a summary statement to promote effective communication and to assess and determine organization-wide actions and success; § 6.1.3.2 ¶ 2 Bullet 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; § 6.1.3.2 ¶ 1 a)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a)
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Establish/Maintain Documentation Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Establish/Maintain Documentation Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807
    [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b)
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Establish/Maintain Documentation Preventive
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590
    [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Establish/Maintain Documentation Preventive
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605
    [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Establish/Maintain Documentation Preventive
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586
    [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585
    [The governing body should ensure that the organizational purpose and organizational values and their centrality are effectively communicated throughout the organization and are available to the organization's stakeholders. § 6.1.3.4 ¶ 2
    The governing body should ensure that: the organizational purpose is available to all stakeholders and reflected in the constituting documents where possible; § 6.1.3.2 ¶ 2 Bullet 2
    The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)
    To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; § 6.10.3 ¶ 1 d)]
    Communicate Preventive
    Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191
    [To ensure that the organization is acting in a socially responsible way, the governing body should: report the organization's social responsibility objectives clearly and transparently so that stakeholders can understand these objectives, how they are being met and what performance is being achieved against them, as well as provide the necessary evidence to support such claims; § 6.10.3 ¶ 1 h)]
    Communicate Preventive
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the organization's performance in fulfilling the organizational purpose; § 6.5.3.2 ¶ 1 c) 1)
    To ensure that the organization is acting in a socially responsible way, the governing body should: report the organization's social responsibility objectives clearly and transparently so that stakeholders can understand these objectives, how they are being met and what performance is being achieved against them, as well as provide the necessary evidence to support such claims; § 6.10.3 ¶ 1 h)
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the integrated view of the relationships between the organization's value generation model and the systems on which this depends (and which the organization also affects through its value generation); § 6.11.3.4 ¶ 2 a)
    The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. § 6.1.3.4 ¶ 1
    The governing body should ensure that the organization's value generation model (see 6.2): describes how the organization's key structures, processes, relationships, information, decision-making, reporting and other aspects inter-relate and are used to generate value over time. § 6.11.3.2 ¶ 1 b)
    Be open about decisions and activities that affect the natural environment, society and the economy, and be willing to communicate these in a clear, accurate, timely, honest and complete manner. Table 2 Column 2 Row 4 Bullet 1]
    Establish/Maintain Documentation Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Business Processes Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Process or Activity Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805
    [{social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e)
    Therefore, the governing body should: ensure that the natural environmental, social and economic system relationships that underpin the organization's value generation model are identified and assessed; § 6.11.3.1 ¶ 2 b)]
    Process or Activity Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Business Processes Preventive
    Identify all interested personnel and affected parties. CC ID 12845
    [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1]
    Process or Activity Detective
    Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584
    [When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. § 6.6.3 ¶ 2]
    Process or Activity Preventive
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [{member stakeholder}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: expectations of relevant stakeholders, particularly member and reference stakeholders; § 5 ¶ 5 Bullet 3
    {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1
    {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's identification of, and engagement with, relevant stakeholders (see 6.6); § 6.4.3.2 ¶ 1 e)
    The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. § 6.6.1 ¶ 1
    The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: § 6.6.3 ¶ 3
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that the wider organizational stakeholders are considered in the organization's use of information technology, particularly as it relates to human capital. § 6.8.3.4 ¶ 2 f)
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: stakeholders; § 6.9.3.2 ¶ 2 d) 1)
    {stakeholder engagement process}To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); § 6.10.3 ¶ 1 a)
    The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. Table 1 Column 4 Row 7
    {member stakeholder}{reference stakeholder}Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: member, reference and other relevant stakeholder expectations; § 6.1.3.2 ¶ 1 d)
    The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: relevant stakeholder expectations (see 6.6 and 6.10); § 6.11.3.1 ¶ 1 Bullet 1
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: relevant stakeholder expectations; § 6.3.3.1.1 ¶ 2 j)
    Effective performance — The organization: remains in alignment with its policies and relevant stakeholder expectations. § 5 ¶ 2 a) 4)
    Responsible stewardship — The organization: engenders the trust and confidence of the communities within which it operates, and beyond. § 5 ¶ 2 b) 5)
    A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: understanding and articulating the opposing perspectives; § 6.7.3.4 ¶ 2 b)
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Business Processes Preventive
    Establish, implement, and maintain data governance and management practices. CC ID 14998
    [The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. § 6.8.1 ¶ 1
    The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1
    The recognition that data can be a strategic asset (or liability) means that the governing body should: acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; § 6.8.3.3 ¶ 1 c)
    The recognition that data can be a strategic asset (or liability) means that the governing body should: understand the use, and potential use, of data by the organization and others (e.g. suppliers, customers, regulators and other relevant stakeholders as well as competitors and those who can misuse the data); § 6.8.3.3 ¶ 1 b)
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: § 6.8.3.4 ¶ 2
    The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. Table 1 Column 4 Row 9
    {be responsible}{be ethical} The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. § 6.8.3.1 ¶ 2
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); § 6.4.3.2 ¶ 1 h)
    The recognition that data can be a strategic asset (or liability) means that the governing body should: ensure that the organization establishes a formal approach to its management of data and, where necessary, assurance is provided (see 6.4.3); § 6.8.3.3 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Establish/Maintain Documentation Preventive
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Establish/Maintain Documentation Preventive
    Include bias for data sets in the data governance and management practices. CC ID 15085 Establish/Maintain Documentation Preventive
    Include a data strategy in the data governance and management practices. CC ID 15304 Establish/Maintain Documentation Preventive
    Include data monitoring in the data governance and management practices. CC ID 15303
    [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the adoption of a system to ensure the rights, obligations and constraints of data sets are understood and tracked, e.g. privacy and intellectual property right obligations; § 6.8.3.4 ¶ 2 a)]
    Establish/Maintain Documentation Preventive
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the adoption of a system to ensure the rights, obligations and constraints of data sets are understood and tracked, e.g. privacy and intellectual property right obligations; § 6.8.3.4 ¶ 2 a)]
    Establish/Maintain Documentation Preventive
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Establish/Maintain Documentation Preventive
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Establish/Maintain Documentation Preventive
    Include data preparations for data sets in the data governance and management practices. CC ID 15081
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Establish/Maintain Documentation Preventive
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Establish/Maintain Documentation Preventive
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Data and Information Management Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Data and Information Management Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Data and Information Management Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Data and Information Management Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Data and Information Management Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Data and Information Management Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Data and Information Management Preventive
    Classify the value of information in the information classification standard. CC ID 11995 Data and Information Management Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Data and Information Management Preventive
    Establish, implement, and maintain a data classification scheme. CC ID 11628 Establish/Maintain Documentation Preventive
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Data and Information Management Preventive
    Approve the data classification scheme. CC ID 13858 Establish/Maintain Documentation Detective
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Communicate Preventive
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Establish/Maintain Documentation Preventive
    Refrain from including metadata in the data dictionary. CC ID 13529 Establish/Maintain Documentation Preventive
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Establish/Maintain Documentation Preventive
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Establish/Maintain Documentation Preventive
    Ensure the data dictionary is complete and accurate. CC ID 13527 Investigate Detective
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Establish/Maintain Documentation Preventive
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Establish/Maintain Documentation Preventive
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Establish/Maintain Documentation Preventive
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Establish/Maintain Documentation Preventive
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Establish/Maintain Documentation Preventive
    Include the precision of the measurement in the data dictionary. CC ID 13520 Establish/Maintain Documentation Preventive
    Include the data source in the data dictionary. CC ID 13519 Establish/Maintain Documentation Preventive
    Include the nature of each element in the data dictionary. CC ID 13518 Establish/Maintain Documentation Preventive
    Include the population of events or instances in the data dictionary. CC ID 13517 Establish/Maintain Documentation Preventive
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Communicate Preventive
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603
    [Responsible stewardship — The organization: ensures its contribution to sustainable development; § 5 ¶ 2 b) 4)
    {be viable} The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. Table 1 Column 4 Row 12
    {be viable} The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. § 6.11.1 ¶ 1
    The aim of governance, and the duty of the governing body, is to create the conditions for, and to enable, the organization to perform over time, such that it fulfils its organizational purpose and generates value as intended. An organization can be said to be contributing to sustainable development, and to be sustainable, when it generates value in a manner that meets the needs of the present without compromising the ability of future generations to meet their own needs. By aligning an organization's governance with sustainable development, e.g. via the UN SDGs, governing bodies help create the conditions for an organization's future success. As a result, governing bodies should ensure that sustainable development and sustainability are fundamental considerations when governing and applying the governance principles in this document. § 4.2.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Behavior Preventive
    Establish, implement, and maintain an organizational structure. CC ID 16310 Establish/Maintain Documentation Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: short-, medium- and long-term trends including social responsibility and sustainability trends; § 6.9.3.2 ¶ 2 d) 2)]
    Monitor and Evaluate Occurrences Detective
    Monitor for new Information Security solutions. CC ID 07078 Monitor and Evaluate Occurrences Detective
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Technical Security Detective
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Communicate Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Communicate Corrective
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Establish/Maintain Documentation Preventive
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Establish/Maintain Documentation Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Establish/Maintain Documentation Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Establish/Maintain Documentation Preventive
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Communicate Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Communicate Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Quality Management standard. CC ID 01006 Establish/Maintain Documentation Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Establish/Maintain Documentation Preventive
    Enforce a continuous Quality Control system. CC ID 01005 Business Processes Detective
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Testing Detective
    Establish, implement, and maintain a Quality Management program. CC ID 07201 Establish/Maintain Documentation Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Communicate Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Communicate Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)]
    Business Processes Corrective
    Include quality objectives in the Quality Management program. CC ID 13693 Establish/Maintain Documentation Preventive
    Include records management in the quality management system. CC ID 15055 Establish/Maintain Documentation Preventive
    Include risk management in the quality management system. CC ID 15054 Establish/Maintain Documentation Preventive
    Include data management procedures in the quality management system. CC ID 15052 Establish/Maintain Documentation Preventive
    Include a post-market monitoring system in the quality management system. CC ID 15027 Establish/Maintain Documentation Preventive
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Establish/Maintain Documentation Preventive
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Systems Design, Build, and Implementation Preventive
    Include resource management in the quality management system. CC ID 15026
    [The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: § 6.2.3.1 ¶ 4
    The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: recognizes and optimizes the interaction between the required resources. § 6.2.3.3 ¶ 1 c)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)]
    Establish/Maintain Documentation Preventive
    Include communication protocols in the quality management system. CC ID 15025 Establish/Maintain Documentation Preventive
    Include incident reporting procedures in the quality management system. CC ID 15023 Establish/Maintain Documentation Preventive
    Include technical specifications in the quality management system. CC ID 15021 Establish/Maintain Documentation Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 Establish/Maintain Documentation Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Establish/Maintain Documentation Preventive
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Business Processes Detective
    Include program testing standards in the Quality Management program. CC ID 01017 Establish/Maintain Documentation Preventive
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Business Processes Detective
    Include system testing standards in the Quality Management program. CC ID 01018 Establish/Maintain Documentation Preventive
    Include an issue tracking system in the Quality Management program. CC ID 06824 Systems Design, Build, and Implementation Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Establish/Maintain Documentation Preventive
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688
    [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1
    The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: identification of all resources involved in the model; § 6.2.3.1 ¶ 4 a)
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the relevant external systems on which the organization depends; § 6.11.3.3 ¶ 1 a)]
    Business Processes Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Establish/Maintain Documentation Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Establish/Maintain Documentation Detective
    Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)]
    Business Processes Preventive
    Establish and maintain an Authority Document list. CC ID 07113 Establish/Maintain Documentation Preventive
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623
    [Ethical and effective leadership should be demonstrated in three areas: the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. § 6.7.3.1 ¶ 4 c)
    {human right}The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: human and labour rights in all countries of operation are respected; § 6.6.3 ¶ 3 d)
    Within the organization's external context: Where the organization has set contextual expectations, such as commitments to stakeholders and the natural environment, the organization should fulfil these expectations as set. § 6.7.3.2 ¶ 1 c)
    {external system}The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the inter-relationships between the organization and these systems; § 6.11.3.3 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 Establish/Maintain Documentation Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901
    [Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: on the way it has implemented the key aspects of practices in this document and any other practices used to apply the principles; § 5 ¶ 7 Bullet 1]
    Communicate Preventive
    Approve all compliance documents. CC ID 06286
    [{individual}The governing body should engage with strategic planning by: reviewing, assessing and approving the plans developed by those to whom they have delegated; § 6.3.3.2.1 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Align the Authority Document list with external requirements. CC ID 06288
    [The governing body should ensure that: the organizational purpose is available to all stakeholders and reflected in the constituting documents where possible; § 6.1.3.2 ¶ 2 Bullet 2]
    Establish/Maintain Documentation Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Establish Roles Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Establish/Maintain Documentation Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Establish/Maintain Documentation Preventive
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Establish/Maintain Documentation Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Establish/Maintain Documentation Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Business Processes Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Establish/Maintain Documentation Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Establish Roles Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Establish/Maintain Documentation Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Establish Roles Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765
    [The governing body should direct and oversee the organization to ensure accountability is practised throughout (see 6.4). § 6.5.3.3 ¶ 2
    {be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2]
    Establish Roles Detective
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 Establish/Maintain Documentation Detective
    Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 Establish/Maintain Documentation Preventive
    Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 Establish/Maintain Documentation Detective
    Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 Establish Roles Preventive
    Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 Establish Roles Preventive
    Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 Establish Roles Preventive
    Involve the Board of Directors or senior management in Information Governance. CC ID 00609 Establish Roles Preventive
    Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 Human Resources Management Preventive
    Address Information Security during the business planning processes. CC ID 06495 Data and Information Management Preventive
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Establish/Maintain Documentation Preventive
    Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 Establish Roles Preventive
    Establish, implement, and maintain a strategic plan. CC ID 12784
    [Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: directing and engaging with strategy to generate value; § 4.1 ¶ 3 c)
    The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. Table 1 Column 4 Row 4
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. § 6.3.1 ¶ 1
    {individual}The governing body should engage with strategic planning by: reviewing, assessing and approving the plans developed by those to whom they have delegated; § 6.3.3.2.1 ¶ 1 c)
    The governing body should engage with strategic planning by: overseeing (see 6.4) the implementation of these plans and ensuring that they meet the agreed strategic outcomes. § 6.3.3.2.1 ¶ 1 d)
    The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so that the generation of value in the present context is balanced with the innovation required to generate value in the future. § 6.3.3.2.2 ¶ 1
    The governing body should steer the organizational strategy by means of: § 6.3.3.2.2 ¶ 2
    Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4
    The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Determine progress toward the objectives of the strategic plan. CC ID 12944
    [The governing body should: develop, and competently use, appropriate criteria for measurement that will indicate progress towards the fulfilment of the organizational purpose, within the set parameters, via the organizational strategy; § 4.3.2 ¶ 2 b)
    Ethical and effective leadership is demonstrated when the governing body: ensures that the organization is, and is seen to be, following the expectations as set. § 6.7.3.1 ¶ 3 Bullet 3
    The outcomes, whether positive or negative, are determined by the expectations which have been set. Leadership determines whether these expectations are fulfilled. § 6.7.3.2 ¶ 2
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the envisaged time scales of the strategic outcomes and of the organizational strategy; § 6.3.3.1.1 ¶ 2 b)]
    Process or Activity Preventive
    Include acting with integrity in the strategic plan. CC ID 12870
    [At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in this document. § 4.3.1 ¶ 3]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)]
    Communicate Preventive
    Include the outsource partners in the strategic plan, as necessary. CC ID 13960 Establish/Maintain Documentation Preventive
    Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a planning policy. CC ID 14673 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain planning procedures. CC ID 14698 Establish/Maintain Documentation Preventive
    Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 Communicate Preventive
    Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 Communicate Preventive
    Include compliance requirements in the planning policy. CC ID 14688 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the planning policy. CC ID 14687 Establish/Maintain Documentation Preventive
    Include management commitment in the planning policy. CC ID 14686 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the planning policy. CC ID 14685 Establish/Maintain Documentation Preventive
    Include the scope in the planning policy. CC ID 14684 Establish/Maintain Documentation Preventive
    Include the purpose in the planning policy. CC ID 14683 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security planning policy. CC ID 14027 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security planning policy. CC ID 14131 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security planning policy. CC ID 14130 Establish/Maintain Documentation Preventive
    Include management commitment in the security planning policy. CC ID 14129 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security planning policy. CC ID 14128 Establish/Maintain Documentation Preventive
    Include the scope in the security planning policy. CC ID 14127 Establish/Maintain Documentation Preventive
    Include the purpose in the security planning policy. CC ID 14126 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 Communicate Preventive
    Establish, implement, and maintain security planning procedures. CC ID 14060 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 Communicate Preventive
    Establish, implement, and maintain a decision management strategy. CC ID 06913
    [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: § 6.8.3.2.1 ¶ 1
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b)
    The governing body should ensure that decisions are transparent and aligned with broader societal expectations. Table 1 Column 4 Row 11
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: competence and probity in the manner in which it makes decisions. § 5 ¶ 2 c) 5)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: maintain an appropriate balance between guiding discussions to a decision and ensuring that every member has the opportunity to express their independent assessment; § 6.8.3.2.1 ¶ 1 a)
    Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. Table 2 Column 2 Row 3 Bullet 2
    The governing body should ensure that decisions are transparent and aligned with broader societal expectations. § 6.10.1 ¶ 1
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    The governing body should steer the organizational strategy by means of: reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; § 6.3.3.2.2 ¶ 2 e)
    The governing body should steer the organizational strategy by means of: decision-making, specifically, the strategic deployment of resources. § 6.3.3.2.2 ¶ 2 j)
    A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: reconciling the perspectives, considering how each position can support the other; § 6.7.3.4 ¶ 2 d)
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1
    Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4
    The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Align the reporting methodology with the decision management strategy. CC ID 15659 Business Processes Preventive
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Establish/Maintain Documentation Preventive
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Establish/Maintain Documentation Preventive
    Include criteria for compliance in the decision-making criteria. CC ID 12951 Establish/Maintain Documentation Preventive
    Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 Establish/Maintain Documentation Preventive
    Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h)]
    Establish/Maintain Documentation Preventive
    Include criteria for setting priorities in the decision-making criteria. CC ID 12938
    [A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: identifying the advantages and disadvantages of each; § 6.7.3.4 ¶ 2 c)]
    Establish/Maintain Documentation Preventive
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847
    [To ensure that the organization is acting in a socially responsible way, the governing body should: steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); § 6.10.3 ¶ 1 f)
    When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: functional requirements of the organizational governance framework. § 5 ¶ 5 Bullet 7
    The governing body should ensure that: the organizational purpose is core to its governance practices, deliberations and decision-making; § 6.1.3.2 ¶ 2 Bullet 3
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    Ensure that diversity and inclusion are understood and incorporated into all organizational decision-making by including factors such as gender, age, ethnicity, sexual orientation, education, perspectives, nationality, disability and beliefs. Table 2 Column 2 Row 5 Bullet 1
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; § 6.9.3.4 ¶ 1 g)]
    Process or Activity Preventive
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843
    [Ethical and effective leadership is demonstrated when the governing body: sets expectations for the organization using robust decision-making processes (see 6.8.3); § 6.7.3.1 ¶ 3 Bullet 1
    Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. § 6.1.3.4 ¶ 3]
    Process or Activity Preventive
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 Process or Activity Preventive
    Identify and document the events that initiate the decision management strategy. CC ID 06914
    [A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: recognizing and identifying the dilemma; § 6.7.3.4 ¶ 2 a)]
    Establish/Maintain Documentation Detective
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 Process or Activity Preventive
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: § 6.8.3.2.1 ¶ 1
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h)
    The governing body should steer the organizational strategy by means of: reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; § 6.3.3.2.2 ¶ 2 e)]
    Behavior Preventive
    Take actions in accordance with the decision-making criteria. CC ID 12909
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h)
    A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: mapping an associated action plan. § 6.7.3.4 ¶ 2 e)]
    Process or Activity Preventive
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b)
    When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: expected outcomes are negotiated, specified and agreed; § 4.2.2 ¶ 2 a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991
    [Be open about decisions and activities that affect the natural environment, society and the economy, and be willing to communicate these in a clear, accurate, timely, honest and complete manner. Table 2 Column 2 Row 4 Bullet 1]
    Communicate Preventive
    Establish, implement, and maintain an information technology process framework. CC ID 13648 Establish/Maintain Documentation Preventive
    Include maturity models in the Information Technology process framework. CC ID 13652 Establish/Maintain Documentation Preventive
    Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 Establish/Maintain Documentation Preventive
    Include Information Technology process structures in the Information Technology process framework. CC ID 13650 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a tactical plan. CC ID 12785
    [The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. § 6.3.3.1.1 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include acting with integrity in the tactical plan. CC ID 12871 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: § 6.8.3.4 ¶ 2
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; § 6.8.3.4 ¶ 2 d)]
    Establish/Maintain Documentation Preventive
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053
    [The recognition that data can be a strategic asset (or liability) means that the governing body should: acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; § 6.8.3.3 ¶ 1 c)
    The recognition that data can be a strategic asset (or liability) means that the governing body should: ensure that the information requirements of the organization are sufficiently supported by its current and future technology capabilities; § 6.8.3.3 ¶ 1 d)]
    Establish/Maintain Documentation Preventive
    Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 Human Resources Management Preventive
    Include the transparency goals in the Information Governance Plan. CC ID 10056 Establish/Maintain Documentation Preventive
    Include the information integrity goals in the Information Governance Plan. CC ID 10057
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: give confidence in the integrity of the information used, e.g. describing assurance processes applied (see 6.4); § 6.5.3.2 ¶ 1 e)]
    Establish/Maintain Documentation Preventive
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Establish/Maintain Documentation Preventive
    Align business continuity objectives with the business continuity policy. CC ID 12408 Establish/Maintain Documentation Preventive
    Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 Business Processes Corrective
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)]
    Business Processes Preventive
    Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 Establish/Maintain Documentation Preventive
    Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 Establish/Maintain Documentation Preventive
    Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 Establish/Maintain Documentation Preventive
    Document the business case and return on investment in each Information Technology project plan. CC ID 06846 Establish/Maintain Documentation Preventive
    Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 Business Processes Preventive
    Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 Establish/Maintain Documentation Preventive
    Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 Establish/Maintain Documentation Preventive
    Assign senior management to approve business cases. CC ID 13068 Human Resources Management Preventive
    Include milestones for each project phase in the Information Technology project plan. CC ID 12621 Establish/Maintain Documentation Preventive
    Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 Establish/Maintain Documentation Corrective
    Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 Establish/Maintain Documentation Preventive
    Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 Establish/Maintain Documentation Preventive
    Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 Establish/Maintain Documentation Preventive
    Include a search plan in the counterterror protective security plan. CC ID 06865 Establish/Maintain Documentation Preventive
    Include an evacuation plan in the counterterror protective security plan. CC ID 06940 Establish/Maintain Documentation Preventive
    Include a continuity plan in the counterterror protective security plan. CC ID 07031 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 Establish/Maintain Documentation Preventive
    Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 Monitor and Evaluate Occurrences Detective
    Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 Actionable Reports or Measurements Preventive
    Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 Actionable Reports or Measurements Preventive
    Include significant security risks in the Information Technology Plan status reports. CC ID 06939 Actionable Reports or Measurements Preventive
    Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 Actionable Reports or Measurements Preventive
    Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094 Human Resources Management Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492
    [Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving governance environment. § 4.3.2 ¶ 1
    {individual}The governing body should steer the organizational strategy by means of: monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; § 6.3.3.2.2 ¶ 2 g)]
    Business Processes Preventive
    Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 Behavior Preventive
    Establish, implement, and maintain a financial management program. CC ID 13228
    [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b)
    {be financially sound}The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's financial results and financial resources, ensuring that the organization remains financially sound; § 6.4.3.2 ¶ 1 f)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain funds transfer procedures. CC ID 16754 Establish/Maintain Documentation Preventive
    Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 Communicate Preventive
    Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 Business Processes Preventive
    Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 Business Processes Preventive
    Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 Business Processes Preventive
    Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 Investigate Detective
    Attach the required information to each funds transfer. CC ID 16756 Business Processes Preventive
    Verify all required information is attached to each funds transfer. CC ID 16755 Business Processes Detective
    Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 Business Processes Preventive
    Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 Testing Preventive
    Include communication protocols in the financial management program. CC ID 16763 Establish/Maintain Documentation Preventive
    Include ongoing monitoring in the financial management program. CC ID 16762 Process or Activity Preventive
    Employ tools to manage settlement and funding flows. CC ID 16743 Process or Activity Preventive
    Refrain from setting up anonymous financial accounts. CC ID 16721 Business Processes Preventive
    Identify and maintain positions in financial accounts. CC ID 16751 Business Processes Preventive
    Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 Establish/Maintain Documentation Preventive
    Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 Process or Activity Preventive
    Establish, implement, and maintain financial resource management procedures. CC ID 16642 Establish/Maintain Documentation Preventive
    Document the rationale for the amount of financial resources being held. CC ID 16688 Establish/Maintain Documentation Preventive
    Supplement financial resources, as necessary. CC ID 16685 Business Processes Preventive
    Establish, implement, and maintain collateral procedures. CC ID 16653 Establish/Maintain Documentation Preventive
    Include the use of appropriate models in the collateral procedures. CC ID 16687 Establish/Maintain Documentation Preventive
    Define the collateral requirements in the collateral procedures. CC ID 16686 Establish/Maintain Documentation Preventive
    Test the collateral requirements for appropriateness. CC ID 16681 Testing Preventive
    Limit the types of assets accepted as collateral. CC ID 16602 Business Processes Preventive
    Avoid the use of concentrated holdings of assets. CC ID 16651 Business Processes Preventive
    Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 Testing Preventive
    Include stress scenarios in the stress test plan. CC ID 16659 Testing Preventive
    Analyze the effectiveness of the stress test plan. CC ID 16657 Process or Activity Detective
    Perform stress testing in accordance with the stress test plan. CC ID 16652 Testing Preventive
    Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 Communicate Preventive
    Identify and document the financial resources available for use. CC ID 16643 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain credit loss procedures. CC ID 16683 Establish/Maintain Documentation Preventive
    Include the allocation of credit losses in the credit loss procedures. CC ID 16684 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a securities trading program. CC ID 16626 Business Processes Preventive
    Include fairness and equitability standards in the securities trading program. CC ID 16690 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the securities trading program. CC ID 16689 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a capital restoration plan. CC ID 16613 Establish/Maintain Documentation Preventive
    Include performance guarantees in the capital restoration plan. CC ID 16616 Establish/Maintain Documentation Preventive
    Include corrective actions taken in the capital restoration plan. CC ID 16612 Establish/Maintain Documentation Preventive
    Include required information in the capital restoration plan. CC ID 16609 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain valuation procedures. CC ID 16634 Establish/Maintain Documentation Preventive
    Include investment information in approval requests for investments. CC ID 16590 Business Processes Preventive
    Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain lending policies. CC ID 16608 Establish/Maintain Documentation Preventive
    Align the lending policy with the organization's risk acceptance level. CC ID 16716 Process or Activity Preventive
    Include the requirements for risk assessments in the lending policy. CC ID 16730 Establish/Maintain Documentation Preventive
    Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 Establish/Maintain Documentation Preventive
    Include the requirements for feasibility studies in the lending policy. CC ID 16726 Establish/Maintain Documentation Preventive
    Include pricing structures in the lending policy. CC ID 16724 Establish/Maintain Documentation Preventive
    Include monitoring requirements in the lending policy. CC ID 16710 Establish/Maintain Documentation Preventive
    Include loan origination procedures in the lending policy. CC ID 16709 Establish/Maintain Documentation Preventive
    Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 Establish/Maintain Documentation Preventive
    Include loan requirements in the lending policy. CC ID 16706 Establish/Maintain Documentation Preventive
    Include appraisals and evaluations in the lending policy. CC ID 16705 Establish/Maintain Documentation Preventive
    Include terms and conditions in the lending policy. CC ID 16695 Establish/Maintain Documentation Preventive
    Include the scope and distribution of loans in the lending policy. CC ID 16693 Establish/Maintain Documentation Preventive
    Include geographic areas in the lending policy. CC ID 16691 Establish/Maintain Documentation Preventive
    Include underwriting guidelines in the lending policy. CC ID 16619 Establish/Maintain Documentation Preventive
    Include credit review in the underwriting guidelines. CC ID 16765 Establish/Maintain Documentation Preventive
    Include loan-to-value ratio limits in the lending policy. CC ID 16618 Establish/Maintain Documentation Preventive
    Include documentation requirements in the lending policy. CC ID 16617 Establish/Maintain Documentation Preventive
    Include the purpose of the loan in the loan documentation. CC ID 16747 Establish/Maintain Documentation Preventive
    Include the source of repayment in the loan documentation. CC ID 16746 Establish/Maintain Documentation Preventive
    Include approval requirements in the lending policy. CC ID 16615 Establish/Maintain Documentation Preventive
    Include reporting requirements in the lending policy. CC ID 16614 Establish/Maintain Documentation Preventive
    Include loan portfolio diversification standards in the lending policy. CC ID 16611 Establish/Maintain Documentation Preventive
    Include loan administration procedures in the lending policy. CC ID 16610 Establish/Maintain Documentation Preventive
    Include loan participation agreements in the loan administration procedures. CC ID 16745 Establish/Maintain Documentation Preventive
    Include termination procedures in the loan participation agreement. CC ID 16753 Establish/Maintain Documentation Preventive
    Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 Establish/Maintain Documentation Preventive
    Include servicing agreements in the loan administration procedures. CC ID 16744 Establish/Maintain Documentation Preventive
    Include claims processing in the loan administration procedures. CC ID 16742 Establish/Maintain Documentation Preventive
    Include forbearance management in the loan administration procedures. CC ID 16741 Establish/Maintain Documentation Preventive
    Include foreclosure management in the loan administration procedures. CC ID 16740 Establish/Maintain Documentation Preventive
    Include delinquency management in the loan administration procedures. CC ID 16739 Establish/Maintain Documentation Preventive
    Include customer due diligence in the loan administration procedures. CC ID 16736 Process or Activity Preventive
    Include the requirements for financial statements in the loan administration procedures. CC ID 16735 Establish/Maintain Documentation Preventive
    Include loan closing in the loan administration procedures. CC ID 16734 Establish/Maintain Documentation Preventive
    Include payoff statements in the loan administration procedures. CC ID 16733 Establish/Maintain Documentation Preventive
    Include payment processing in the loan administration procedures. CC ID 16732 Establish/Maintain Documentation Preventive
    Include loan reviews in the loan administration procedures. CC ID 16703 Establish/Maintain Documentation Preventive
    Include collections in the loan administration procedures. CC ID 16701 Establish/Maintain Documentation Preventive
    Include collateral inspections in the loan administration procedures. CC ID 16699 Establish/Maintain Documentation Preventive
    Include disbursements in the loan administration procedures. CC ID 16697 Establish/Maintain Documentation Preventive
    Review and approve lending policies. CC ID 16607 Business Processes Preventive
    Establish, implement, and maintain a dividend policy. CC ID 16569 Establish/Maintain Documentation Preventive
    Include compliance requirements in the dividend policy. CC ID 16570 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain margin systems. CC ID 16601 Business Processes Preventive
    Include valuation models in the margin system. CC ID 16663 Data and Information Management Preventive
    Include procedures for collecting price data in the margin system. CC ID 16662 Data and Information Management Preventive
    Include reliable sources for price data in the margin system. CC ID 16661 Data and Information Management Preventive
    Validate the margin system on a regular basis. CC ID 16660 Testing Detective
    Assess the properties of the margin model used in the margin system. CC ID 16658 Process or Activity Detective
    Monitor the performance of the margin system. CC ID 16655 Monitor and Evaluate Occurrences Detective
    Analyze the performance of the margin system. CC ID 16654 Process or Activity Detective
    Establish, implement, and maintain capital adequacy measures. CC ID 16568 Business Processes Preventive
    Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 Establish/Maintain Documentation Preventive
    Determine the amount of assets to be held in escrow. CC ID 16575 Investigate Detective
    Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 Communicate Preventive
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)]
    Establish/Maintain Documentation Preventive
    Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 Establish/Maintain Documentation Preventive
    Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 Establish/Maintain Documentation Preventive
    Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 Establish/Maintain Documentation Preventive
    Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 Data and Information Management Preventive
    Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 Data and Information Management Preventive
    Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 Data and Information Management Preventive
    Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 Data and Information Management Preventive
    Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 Data and Information Management Preventive
    Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 Data and Information Management Preventive
    Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 Data and Information Management Preventive
    Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 Data and Information Management Preventive
    Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 Data and Information Management Preventive
    Include account information In the recordkeeping system for securities transactions. CC ID 16632 Data and Information Management Preventive
    Establish, implement, and maintain securities transaction notifications. CC ID 16600 Establish/Maintain Documentation Preventive
    Include the call date in the securities transaction notification. CC ID 16680 Establish/Maintain Documentation Preventive
    Include service charges and commissions in the securities transaction notification. CC ID 16702 Establish/Maintain Documentation Preventive
    Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 Establish/Maintain Documentation Preventive
    Include the call price in the securities transaction notification. CC ID 16678 Establish/Maintain Documentation Preventive
    Include debits and credits in the securities transaction notification. CC ID 16677 Establish/Maintain Documentation Preventive
    Include transactions in the securities transaction notification. CC ID 16676 Establish/Maintain Documentation Preventive
    Include the credit rating of securities in the securities transaction notification. CC ID 16674 Establish/Maintain Documentation Preventive
    Include yield information in the securities transaction notification. CC ID 16673 Establish/Maintain Documentation Preventive
    Include redemption information in the securities transaction notification. CC ID 16672 Establish/Maintain Documentation Preventive
    Include the price calculated from the yield in the securities transaction notification. CC ID 16669 Establish/Maintain Documentation Preventive
    Include the type of call in the securities transaction notification. CC ID 16668 Establish/Maintain Documentation Preventive
    Include an account statement in the securities transaction notification. CC ID 16666 Establish/Maintain Documentation Preventive
    Include the yield to maturity in the securities transaction notification. CC ID 16665 Establish/Maintain Documentation Preventive
    Include the execution price in the securities transaction notification. CC ID 16664 Establish/Maintain Documentation Preventive
    Include the organization's role in the securities transaction notification. CC ID 16646 Establish/Maintain Documentation Preventive
    Include the name of the broker in the securities transaction notification. CC ID 16647 Establish/Maintain Documentation Preventive
    Include the name of the customer in the securities transaction notification. CC ID 16625 Establish/Maintain Documentation Preventive
    Include the organization's name in the securities transaction notification. CC ID 16624 Establish/Maintain Documentation Preventive
    Include confirmations in the securities transaction notification. CC ID 16623 Establish/Maintain Documentation Preventive
    Include remunerations in the securities transaction notification. CC ID 16622 Establish/Maintain Documentation Preventive
    Include requested information in the securities transaction notification. CC ID 16641 Establish/Maintain Documentation Preventive
    Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 Communicate Preventive
    Include the execution date in the securities transaction notification. CC ID 16620 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain financial reports. CC ID 14770
    [The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Establish/Maintain Documentation Preventive
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Establish/Maintain Documentation Preventive
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Establish/Maintain Documentation Preventive
    Include the business need justification for lost value in the financial report. CC ID 15588
    [The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Communicate Preventive
    Include financial statements in the financial report, as necessary. CC ID 14775 Establish/Maintain Documentation Preventive
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Establish/Maintain Documentation Preventive
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Establish/Maintain Documentation Preventive
    Include material contingencies in the financial statement. CC ID 16596 Establish/Maintain Documentation Preventive
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Establish/Maintain Documentation Preventive
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Establish/Maintain Documentation Preventive
    Include assets and liabilities in the call report. CC ID 16729 Establish/Maintain Documentation Preventive
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Communicate Preventive
  • Monitoring and measurement
    303
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Monitor the usage and capacity of critical assets. CC ID 14825
    [The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: measurement and tracking of the organization's use of, and impact on, these resources; § 6.2.3.1 ¶ 4 b)]
    Monitor and Evaluate Occurrences Detective
    Monitor the usage and capacity of Information Technology assets. CC ID 00668 Monitor and Evaluate Occurrences Detective
    Monitor all outbound traffic from all systems. CC ID 12970 Monitor and Evaluate Occurrences Preventive
    Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 Behavior Detective
    Monitor systems for errors and faults. CC ID 04544 Monitor and Evaluate Occurrences Detective
    Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 Communicate Corrective
    Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Log Management Detective
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitor and Evaluate Occurrences Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585
    [{be responsible}{be ethical}The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; § 6.8.3.4 ¶ 2 c)]
    Monitor and Evaluate Occurrences Detective
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225 Monitor and Evaluate Occurrences Detective
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitor and Evaluate Occurrences Preventive
    Address operational anomalies within the incident management system. CC ID 11633 Audits and Risk Management Preventive
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitor and Evaluate Occurrences Detective
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Human Resources Management Detective
    Detect unauthorized access to systems. CC ID 06798 Monitor and Evaluate Occurrences Detective
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitor and Evaluate Occurrences Detective
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Audits and Risk Management Preventive
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitor and Evaluate Occurrences Detective
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b)
    To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d)
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Monitor the organization's exposure to threats, as necessary. CC ID 06494 Monitor and Evaluate Occurrences Preventive
    Monitor and evaluate environmental threats. CC ID 13481 Monitor and Evaluate Occurrences Detective
    Implement a fraud detection system. CC ID 13081 Business Processes Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Process or Activity Corrective
    Monitor for new vulnerabilities. CC ID 06843 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a compliance testing strategy. CC ID 00659 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Testing Preventive
    Test compliance controls for proper functionality. CC ID 00660 Testing Detective
    Establish, implement, and maintain a system security plan. CC ID 01922
    [{environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Testing Preventive
    Include a system description in the system security plan. CC ID 16467 Establish/Maintain Documentation Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Establish/Maintain Documentation Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Establish/Maintain Documentation Preventive
    Include the information types in the system security plan. CC ID 14696 Establish/Maintain Documentation Preventive
    Include the security requirements in the system security plan. CC ID 14274 Establish/Maintain Documentation Preventive
    Include threats in the system security plan. CC ID 14693 Establish/Maintain Documentation Preventive
    Include network diagrams in the system security plan. CC ID 14273 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Establish/Maintain Documentation Preventive
    Include remote access methods in the system security plan. CC ID 16441 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Communicate Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Establish/Maintain Documentation Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the system security plan. CC ID 14255 Process or Activity Preventive
    Include security controls in the system security plan. CC ID 14239 Establish/Maintain Documentation Preventive
    Create specific test plans to test each system component. CC ID 00661 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Establish/Maintain Documentation Preventive
    Include the assessment team in the test plan. CC ID 14297 Establish/Maintain Documentation Preventive
    Include the scope in the test plans. CC ID 14293 Establish/Maintain Documentation Preventive
    Include the assessment environment in the test plan. CC ID 14271 Establish/Maintain Documentation Preventive
    Approve the system security plan. CC ID 14241 Business Processes Preventive
    Adhere to the system security plan. CC ID 11640 Testing Detective
    Review the test plans for each system component. CC ID 00662 Establish/Maintain Documentation Preventive
    Validate all testing assumptions in the test plans. CC ID 00663 Testing Detective
    Document validated testing processes in the testing procedures. CC ID 06200 Establish/Maintain Documentation Preventive
    Require testing procedures to be complete. CC ID 00664 Testing Detective
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Establish/Maintain Documentation Preventive
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Testing Preventive
    Implement automated audit tools. CC ID 04882 Acquisition/Sale of Assets or Services Preventive
    Assign senior management to approve test plans. CC ID 13071 Human Resources Management Preventive
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Testing Detective
    Monitor devices continuously for conformance with production specifications. CC ID 06201 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671
    [Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: overseeing that the organization performs and behaves according to the expectations set by the governing body; § 4.1 ¶ 3 d)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654
    [The governing body should: set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; § 4.3.2 ¶ 2 c)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain risk management metrics. CC ID 01656 Establish/Maintain Documentation Preventive
    Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 Actionable Reports or Measurements Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Actionable Reports or Measurements Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Actionable Reports or Measurements Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Actionable Reports or Measurements Detective
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 Business Processes Preventive
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Audits and Risk Management Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitor and Evaluate Occurrences Detective
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499
    [Recognize failures and mistakes and take appropriate action. Table 2 Column 2 Row 2 Bullet 5]
    Establish/Maintain Documentation Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Business Processes Detective
    Determine the causes of compliance violations. CC ID 12401 Investigate Corrective
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Establish/Maintain Documentation Preventive
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Investigate Detective
    Correct compliance violations. CC ID 13515 Process or Activity Corrective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Investigate Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: consequences, such as sanctions, for the non-fulfilment of a responsibility or non-adherence to established parameters are enforceable. § 4.2.2 ¶ 2 e)]
    Behavior Corrective
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Human Resources Management Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Establish/Maintain Documentation Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Establish/Maintain Documentation Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Establish/Maintain Documentation Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Establish/Maintain Documentation Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Establish/Maintain Documentation Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Establish/Maintain Documentation Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Communicate Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Establish/Maintain Documentation Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Establish/Maintain Documentation Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Establish/Maintain Documentation Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Establish/Maintain Documentation Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Establish/Maintain Documentation Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Establish/Maintain Documentation Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain compliance program metrics. CC ID 11625 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a security program metrics program. CC ID 01660 Establish/Maintain Documentation Preventive
    Report on the policies and controls that have been implemented by management. CC ID 01670 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)]
    Establish/Maintain Documentation Preventive
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661
    [{individual}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: those who can influence the decisions of the governing body (such as member stakeholders, reference stakeholders and other stakeholders who can exert a controlling influence) and the nature and level of influence; § 6.5.3.2 ¶ 1 c) 4)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Establish/Maintain Documentation Preventive
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Actionable Reports or Measurements Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 Establish/Maintain Documentation Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Actionable Reports or Measurements Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Actionable Reports or Measurements Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an audit metrics program. CC ID 01664 Establish/Maintain Documentation Preventive
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Actionable Reports or Measurements Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Actionable Reports or Measurements Detective
    Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 Actionable Reports or Measurements Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an Information Security metrics program. CC ID 01665 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics standard and template. CC ID 02157
    [The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: § 6.2.3.3 ¶ 1
    The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)
    Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Convert data into standard units before reporting metrics. CC ID 15507 Process or Activity Corrective
    Monitor compliance with the Quality Control system. CC ID 01023 Actionable Reports or Measurements Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Actionable Reports or Measurements Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 Establish/Maintain Documentation Preventive
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Actionable Reports or Measurements Detective
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Actionable Reports or Measurements Detective
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Establish/Maintain Documentation Preventive
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Actionable Reports or Measurements Detective
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 Establish/Maintain Documentation Preventive
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Actionable Reports or Measurements Detective
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Actionable Reports or Measurements Detective
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Actionable Reports or Measurements Detective
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 Establish/Maintain Documentation Preventive
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Actionable Reports or Measurements Detective
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Actionable Reports or Measurements Detective
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Actionable Reports or Measurements Detective
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Establish/Maintain Documentation Preventive
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Actionable Reports or Measurements Detective
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Business Processes Preventive
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Actionable Reports or Measurements Detective
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Actionable Reports or Measurements Detective
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Business Processes Preventive
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Actionable Reports or Measurements Detective
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a physical environment metrics program. CC ID 02063 Business Processes Preventive
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Actionable Reports or Measurements Detective
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Actionable Reports or Measurements Detective
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a privacy metrics program. CC ID 15494 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain waste management metrics. CC ID 16152 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain emissions management metrics. CC ID 16145 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain financial management metrics. CC ID 16749 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Business Processes Preventive
    Report on the percentage of unique active user identifiers. CC ID 02074 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 Actionable Reports or Measurements Detective
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Business Processes Preventive
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Actionable Reports or Measurements Detective
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Actionable Reports or Measurements Detective
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Actionable Reports or Measurements Detective
    Report on the percentage of users with access to shared accounts. CC ID 04573 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Actionable Reports or Measurements Preventive
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Actionable Reports or Measurements Detective
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 Business Processes Preventive
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Actionable Reports or Measurements Detective
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Actionable Reports or Measurements Detective
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Actionable Reports or Measurements Detective
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Actionable Reports or Measurements Detective
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Actionable Reports or Measurements Detective
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 Log Management Preventive
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Log Management Detective
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Log Management Detective
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Log Management Detective
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Business Processes Preventive
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Actionable Reports or Measurements Detective
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Actionable Reports or Measurements Detective
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Actionable Reports or Measurements Detective
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 Business Processes Preventive
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Actionable Reports or Measurements Detective
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Business Processes Preventive
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Actionable Reports or Measurements Detective
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Actionable Reports or Measurements Detective
    Report on the mean time from patch availability to patch installation. CC ID 02114 Actionable Reports or Measurements Detective
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 Business Processes Preventive
    Establish, implement, and maintain a network activity baseline. CC ID 13188 Technical Security Detective
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Actionable Reports or Measurements Detective
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Business Processes Preventive
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Actionable Reports or Measurements Detective
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Actionable Reports or Measurements Detective
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 Business Processes Preventive
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Actionable Reports or Measurements Detective
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Actionable Reports or Measurements Detective
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 Business Processes Preventive
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Actionable Reports or Measurements Detective
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Actionable Reports or Measurements Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Actionable Reports or Measurements Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Actionable Reports or Measurements Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Actionable Reports or Measurements Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Actionable Reports or Measurements Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Actionable Reports or Measurements Detective
    Delay the reporting of incident management metrics, as necessary. CC ID 15501 Communicate Preventive
    Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Establish/Maintain Documentation Preventive
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Actionable Reports or Measurements Preventive
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Actionable Reports or Measurements Preventive
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Actionable Reports or Measurements Preventive
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Actionable Reports or Measurements Preventive
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Actionable Reports or Measurements Preventive
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Actionable Reports or Measurements Preventive
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a log management program. CC ID 00673 Establish/Maintain Documentation Preventive
    Deploy log normalization tools, as necessary. CC ID 12141 Technical Security Preventive
    Restrict access to logs to authorized individuals. CC ID 01342 Log Management Preventive
    Restrict access to audit trails to a need to know basis. CC ID 11641 Technical Security Preventive
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Log Management Preventive
    Back up audit trails according to backup procedures. CC ID 11642 Systems Continuity Preventive
    Back up logs according to backup procedures. CC ID 01344 Log Management Preventive
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Log Management Preventive
    Identify hosts with logs that are not being stored. CC ID 06314 Log Management Preventive
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Log Management Preventive
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Log Management Preventive
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Log Management Preventive
    Protect logs from unauthorized activity. CC ID 01345 Log Management Preventive
    Perform testing and validating activities on all logs. CC ID 06322 Log Management Preventive
    Archive the audit trail in accordance with compliance requirements. CC ID 00674 Log Management Preventive
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Configuration Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594 Log Management Preventive
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Establish/Maintain Documentation Preventive
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Audits and Risk Management Preventive
    Monitor the performance of the governance, risk, and compliance capability. CC ID 12857
    [To exercise effective oversight, the governing body should: assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. § 6.4.3.1 ¶ 1 d)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; § 6.4.3.2 ¶ 1 d)
    Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3
    To ensure that the organization is acting in a socially responsible way, the governing body should: measure performance against objectives related to socially responsible behaviour; § 6.10.3 ¶ 1 g)
    The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)]
    Monitor and Evaluate Occurrences Preventive
    Monitor the organizational culture. CC ID 12782
    [The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: the organizational culture is responsive to relevant stakeholders' views; § 6.6.3 ¶ 3 b)
    The governing body should steer the organizational strategy by means of: the organizational culture, including the cultural tone the governing body sets through its ethos; § 6.3.3.2.2 ¶ 2 a)]
    Monitor and Evaluate Occurrences Preventive
    Monitor for changes to the organizational culture that have a cumulative effect on organizational objectives. CC ID 12886 Monitor and Evaluate Occurrences Preventive
    Monitor for changes to the organizational culture that have a cumulative effect on strategies. CC ID 12885 Monitor and Evaluate Occurrences Preventive
    Monitor for changes to the organizational culture that have an indirect effect on strategies. CC ID 12884 Monitor and Evaluate Occurrences Preventive
    Monitor for changes to the organizational culture that have an indirect effect on organizational objectives. CC ID 12883 Monitor and Evaluate Occurrences Preventive
    Monitor for changes to the organizational culture that have a direct effect on strategies. CC ID 12882 Monitor and Evaluate Occurrences Preventive
    Monitor for changes to the organizational culture that have a direct effect on organizational objectives. CC ID 12881 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a corrective action plan. CC ID 00675
    [When defining the organizational values, the governing body should ensure that: corrective action can be taken. § 6.1.3.3 ¶ 1 e)
    To exercise effective oversight, the governing body should: take corrective action; § 6.4.3.1 ¶ 1 c)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: § 6.4.3.2 ¶ 1
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's identification of, and engagement with, relevant stakeholders (see 6.6); § 6.4.3.2 ¶ 1 e)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)
    For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Improvements should be applied as the result of feedback from reporting, disclosure and dialogue activities. § 6.5.3.2 ¶ 3
    {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2
    The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a)
    Recognize failures and mistakes and take appropriate action. Table 2 Column 2 Row 2 Bullet 5
    The governing body should oversee organizational performance by assessing and taking corrective action based on: compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; § 6.4.3.2 ¶ 1 d)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); § 6.4.3.2 ¶ 1 h)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)
    {be financially sound}The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's financial results and financial resources, ensuring that the organization remains financially sound; § 6.4.3.2 ¶ 1 f)
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Monitor and Evaluate Occurrences Detective
    Align corrective actions with the level of environmental impact. CC ID 15193 Business Processes Preventive
    Include risks and opportunities in the corrective action plan. CC ID 15178 Establish/Maintain Documentation Preventive
    Include environmental aspects in the corrective action plan. CC ID 15177 Establish/Maintain Documentation Preventive
    Include the completion date in the corrective action plan. CC ID 13272 Establish/Maintain Documentation Preventive
    Include monitoring in the corrective action plan. CC ID 11645 Monitor and Evaluate Occurrences Detective
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: its assessment of the governance outcomes achieved. § 5 ¶ 7 Bullet 2
    Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3
    Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, risk management and compliance management as independent control functions; § 6.4.3.3 ¶ 2 Bullet 2]
    Actionable Reports or Measurements Corrective
  • Operational and Systems Continuity
    14
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a continuity framework. CC ID 00732 Establish/Maintain Documentation Preventive
    Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374
    [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)]
    Systems Continuity Detective
    Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752 Establish/Maintain Documentation Preventive
    Restore systems and environments to be operational. CC ID 13476
    [{environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Systems Continuity Corrective
    Include restoration procedures in the continuity plan. CC ID 01169
    [The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: actively contribute to conserving and restoring these systems. § 6.11.3.1 ¶ 1 Bullet 2]
    Establish Roles Preventive
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 Establish/Maintain Documentation Preventive
    Include the recovery plan in the continuity plan. CC ID 01377 Establish/Maintain Documentation Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Communicate Preventive
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a critical third party list. CC ID 06815 Establish/Maintain Documentation Preventive
    Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g)]
    Behavior Preventive
  • Operational management
    408
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
    [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b)
    {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2
    Therefore, the governing body should: govern for organizational viability over time. § 6.11.3.1 ¶ 2 c)]
    Establish/Maintain Documentation Preventive
    Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 Establish/Maintain Documentation Preventive
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)]
    Behavior Preventive
    Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 Establish/Maintain Documentation Preventive
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861
    [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes and maintains adequate resourcing; § 6.9.3.2 ¶ 2 f)]
    Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853
    [Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving governance environment. § 4.3.2 ¶ 1
    The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. § 6.3.3.1.2 ¶ 4
    {individual} The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. § 6.3.3.1.2 ¶ 3
    The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)]
    Establish/Maintain Documentation Preventive
    Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 Process or Activity Preventive
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)]
    Process or Activity Preventive
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 Audits and Risk Management Preventive
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523
    ["Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters. The governing body should ensure the clarity of roles and responsibilities of all involved and hold accountable those to whom they delegate. § 4.2.3 ¶ 1
    Governance is exercised throughout the organization by governing groups, including: § 4.2.1 ¶ 1
    Governance is exercised throughout the organization by governing groups, including: member stakeholders; § 4.2.1 ¶ 1 Bullet 1
    Governance is exercised throughout the organization by governing groups, including: managers; § 4.2.1 ¶ 1 Bullet 3
    Governance is exercised throughout the organization by governing groups, including: other internal functions of the organization. § 4.2.1 ¶ 1 Bullet 4
    {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. Table 1 Column 4 Row 6
    The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. § 6.3.3.1.2 ¶ 4
    {individual} The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. § 6.3.3.1.2 ¶ 3
    Accountable people can delegate to others. However, it should be made clear that those who delegate remain accountable for their delegate's use of that authority. § 4.2.2 ¶ 4
    {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. § 6.5.1 ¶ 1
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Human Resources Management Preventive
    Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 Human Resources Management Preventive
    Establish, implement, and maintain a compliance policy. CC ID 14807 Establish/Maintain Documentation Preventive
    Include the standard of conduct and accountability in the compliance policy. CC ID 14813
    [{refrain from holding accountable}{do not}{individual} No one should be held accountable for matters over which they have no authority or for which expectations have not been stated or agreed. § 4.2.2 ¶ 3
    Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: demonstrating accountability for this performance and behaviour. § 4.1 ¶ 3 e)]
    Establish/Maintain Documentation Preventive
    Include the scope in the compliance policy. CC ID 14812 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the compliance policy. CC ID 14811 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement in the compliance policy. CC ID 14810 Establish/Maintain Documentation Preventive
    Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 Communicate Preventive
    Include management commitment in the compliance policy. CC ID 14808 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a governance policy. CC ID 15587
    [The governing body should establish governance policies and ensure that these: § 6.3.3.1.2 ¶ 1
    The governing body should ensure that the governance policies are effectively applied across the organization and that they achieve the governing body's intentions. § 6.3.3.1.2 ¶ 2
    The governing body should ensure that the organizational risk framework, in respect to the management of risk: positions risk as a key consideration in the setting of governance policies (see 6.3); § 6.9.3.2 ¶ 2 c)
    The governing body should establish governance policies and ensure that these: are regularly reviewed, and updated as necessary, to ensure that they remain aligned with the organization's constituting documents, and the organization's changing context, and are based on relevant guidance and best practices such as standards and codes. § 6.3.3.1.2 ¶ 1 h)
    The governing body should establish governance policies and ensure that these: clarify the governing body's intentions and expectations with respect to the organizational purpose, organizational values and the organization's value generation objectives; § 6.3.3.1.2 ¶ 1 a)
    {internal context}The governing body should steer the organizational strategy by means of: governance policies, to ensure that they remain aligned with the organization's changing internal and external context and are current with common or best practice; § 6.3.3.2.2 ¶ 2 d)
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; § 6.8.3.4 ¶ 2 d)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)]
    Communicate Preventive
    Include a commitment to continuous improvement in the governance policy. CC ID 15595
    [The governing body should establish governance policies and ensure that these: address the governing body's own commitment to continual improvement; § 6.3.3.1.2 ¶ 1 g)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the governance policy. CC ID 15594
    [The governing body should establish governance policies and ensure that these: provide guidance on what, rather than detailing how, responsibilities are to be fulfilled; § 6.3.3.1.2 ¶ 1 d)
    The governing body should establish governance policies and ensure that these: define the structures (e.g. committees) and roles involved in the governance of the organization, including their authority, responsibilities, performance and reporting requirements; § 6.3.3.1.2 ¶ 1 c)
    The governing body should establish governance policies and ensure that these: clarify delegations within the organization, including in relation to the strategy process; § 6.3.3.1.2 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a positive information control environment. CC ID 00813
    [The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. § 6.7.1 ¶ 1
    Ethical and effective leadership should be demonstrated in three areas: § 6.7.3.1 ¶ 4
    The governing body should demonstrate effective leadership across all areas. § 6.7.3.2 ¶ 1
    The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. Table 1 Column 4 Row 8
    In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2
    Ethical leadership results in an organizational context and culture that: provides increased certainty, which in turn, creates reputational value. § 6.7.3.3 ¶ 3 Bullet 5
    {be responsible}{be ethical} The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. § 6.8.3.1 ¶ 2
    {be ethical}New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: data are used ethically; § 6.8.3.4 ¶ 1 Bullet 1
    The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; § 6.9.3.2 ¶ 2 a)
    Ethical leadership results in an organizational context and culture that: assists in reconciling strategic dilemmas by creating organizational alignment through the integration of opposites; § 6.7.3.3 ¶ 3 Bullet 2
    Ethical leadership results in an organizational context and culture that: provides the individuals of an organization with a collective sense of belonging; § 6.7.3.3 ¶ 3 Bullet 1]
    Business Processes Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Behavior Preventive
    Establish, implement, and maintain an internal control framework. CC ID 00820
    [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b)
    {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2]
    Establish/Maintain Documentation Preventive
    Define the scope for the internal control framework. CC ID 16325 Business Processes Preventive
    Measure policy compliance when reviewing the internal control framework. CC ID 06442
    [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)]
    Actionable Reports or Measurements Corrective
    Review the relevance of information supporting internal controls. CC ID 12420 Business Processes Detective
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Establish Roles Preventive
    Assign resources to implement the internal control framework. CC ID 00816
    [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: required resources are available; § 4.2.2 ¶ 2 b)
    The governing body should steer the organizational strategy by means of: decision-making, specifically, the strategic deployment of resources. § 6.3.3.2.2 ¶ 2 j)
    {procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)]
    Business Processes Preventive
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: § 6.8.3.2.2 ¶ 1]
    Establish Roles Preventive
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415
    [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)]
    Business Processes Preventive
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Establish/Maintain Documentation Preventive
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Establish/Maintain Documentation Preventive
    Leverage actionable information to support internal controls. CC ID 12414 Business Processes Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 Establish/Maintain Documentation Preventive
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Establish/Maintain Documentation Preventive
    Include threat assessment in the internal control framework. CC ID 01347 Establish/Maintain Documentation Preventive
    Automate threat assessments, as necessary. CC ID 06877 Configuration Preventive
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102
    [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)]
    Establish/Maintain Documentation Preventive
    Automate vulnerability management, as necessary. CC ID 11730 Configuration Preventive
    Include personnel security procedures in the internal control framework. CC ID 01349 Establish/Maintain Documentation Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Establish/Maintain Documentation Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Establish/Maintain Documentation Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489 Establish/Maintain Documentation Preventive
    Share security information with interested personnel and affected parties. CC ID 11732 Communicate Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Process or Activity Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359 Establish/Maintain Documentation Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Establish/Maintain Documentation Preventive
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Establish/Maintain Documentation Preventive
    Include emergency response procedures in the internal control framework. CC ID 06779 Establish/Maintain Documentation Detective
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Establish/Maintain Documentation Preventive
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Communicate Preventive
    Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 Communicate Preventive
    Establish, implement, and maintain a cybersecurity policy. CC ID 16833 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information security program. CC ID 00812
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the implementation of a risk-based information security management system (ISMS); § 6.8.3.4 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Include physical safeguards in the information security program. CC ID 12375 Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374 Establish/Maintain Documentation Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Establish/Maintain Documentation Preventive
    Include system development in the information security program. CC ID 12389 Establish/Maintain Documentation Preventive
    Include system maintenance in the information security program. CC ID 12388 Establish/Maintain Documentation Preventive
    Include system acquisition in the information security program. CC ID 12387 Establish/Maintain Documentation Preventive
    Include access control in the information security program. CC ID 12386 Establish/Maintain Documentation Preventive
    Review and approve access controls, as necessary. CC ID 13074 Process or Activity Detective
    Include operations management in the information security program. CC ID 12385 Establish/Maintain Documentation Preventive
    Include communication management in the information security program. CC ID 12384 Establish/Maintain Documentation Preventive
    Include environmental security in the information security program. CC ID 12383 Establish/Maintain Documentation Preventive
    Include physical security in the information security program. CC ID 12382 Establish/Maintain Documentation Preventive
    Include human resources security in the information security program. CC ID 12381 Establish/Maintain Documentation Preventive
    Include asset management in the information security program. CC ID 12380 Establish/Maintain Documentation Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Establish/Maintain Documentation Preventive
    Include change management procedures in the continuous monitoring plan. CC ID 16227 Establish/Maintain Documentation Preventive
    include recovery procedures in the continuous monitoring plan. CC ID 16226 Establish/Maintain Documentation Preventive
    Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 Establish/Maintain Documentation Preventive
    Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 Establish/Maintain Documentation Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Establish/Maintain Documentation Preventive
    Include risk management in the information security program. CC ID 12378 Establish/Maintain Documentation Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Establish/Maintain Documentation Preventive
    Provide management direction and support for the information security program. CC ID 11999 Process or Activity Preventive
    Monitor and review the effectiveness of the information security program. CC ID 12744 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain an information security policy. CC ID 11740 Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Business Processes Preventive
    Include business processes in the information security policy. CC ID 16326 Establish/Maintain Documentation Preventive
    Include the information security strategy in the information security policy. CC ID 16125 Establish/Maintain Documentation Preventive
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the information security policy. CC ID 16120 Establish/Maintain Documentation Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Establish/Maintain Documentation Preventive
    Include information security objectives in the information security policy. CC ID 13493 Establish/Maintain Documentation Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Establish/Maintain Documentation Preventive
    Include notification procedures in the information security policy. CC ID 16842 Establish/Maintain Documentation Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Process or Activity Preventive
    Establish, implement, and maintain information security procedures. CC ID 12006 Business Processes Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Establish/Maintain Documentation Preventive
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Communicate Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Establish/Maintain Documentation Preventive
    Define thresholds for approving information security activities in the information security program. CC ID 15702 Process or Activity Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Establish Roles Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Human Resources Management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Establish/Maintain Documentation Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Human Resources Management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Communicate Preventive
    Establish, implement, and maintain a social media governance program. CC ID 06536 Establish/Maintain Documentation Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Business Processes Preventive
    Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 Business Processes Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Behavior Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Establish/Maintain Documentation Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Establish/Maintain Documentation Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Establish/Maintain Documentation Preventive
    Perform social network analysis, as necessary. CC ID 14864 Investigate Detective
    Establish, implement, and maintain operational control procedures. CC ID 00831 Establish/Maintain Documentation Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Establish/Maintain Documentation Preventive
    Include startup processes in operational control procedures. CC ID 00833 Establish/Maintain Documentation Preventive
    Include change control processes in the operational control procedures. CC ID 16793 Establish/Maintain Documentation Preventive
    Establish and maintain a data processing run manual. CC ID 00832 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Establish/Maintain Documentation Preventive
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Process or Activity Preventive
    Include metrics in the standard operating procedures manual. CC ID 14988 Establish/Maintain Documentation Preventive
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Establish/Maintain Documentation Preventive
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Establish/Maintain Documentation Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Establish/Maintain Documentation Preventive
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Establish/Maintain Documentation Preventive
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Establish/Maintain Documentation Preventive
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Establish/Maintain Documentation Preventive
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Establish/Maintain Documentation Preventive
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Establish/Maintain Documentation Preventive
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Establish/Maintain Documentation Preventive
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Establish/Maintain Documentation Preventive
    Include contact details in the standard operating procedures manual. CC ID 14962 Establish/Maintain Documentation Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974 Records Management Preventive
    Establish, implement, and maintain information sharing agreements. CC ID 15645 Business Processes Preventive
    Provide support for information sharing activities. CC ID 15644 Process or Activity Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Business Processes Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Establish/Maintain Documentation Corrective
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Communicate Preventive
    Establish, implement, and maintain a job scheduling methodology. CC ID 00834 Establish/Maintain Documentation Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a data processing continuity plan. CC ID 00836 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Establish/Maintain Documentation Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Establish/Maintain Documentation Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894
    [New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: sensitive data are protected and secured. § 6.8.3.4 ¶ 1 Bullet 3]
    Establish/Maintain Documentation Preventive
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Establish/Maintain Documentation Preventive
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Establish/Maintain Documentation Preventive
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Establish/Maintain Documentation Preventive
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Establish/Maintain Documentation Preventive
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Establish/Maintain Documentation Preventive
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Establish/Maintain Documentation Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Establish/Maintain Documentation Preventive
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Establish/Maintain Documentation Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Establish/Maintain Documentation Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Establish/Maintain Documentation Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Establish/Maintain Documentation Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Technical Security Preventive
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Establish/Maintain Documentation Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Data and Information Management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Establish/Maintain Documentation Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Establish/Maintain Documentation Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Establish/Maintain Documentation Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Establish/Maintain Documentation Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Establish/Maintain Documentation Corrective
    Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 Establish/Maintain Documentation Preventive
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Establish/Maintain Documentation Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Communicate Preventive
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Business Processes Preventive
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 Establish/Maintain Documentation Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Establish/Maintain Documentation Preventive
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Establish/Maintain Documentation Preventive
    Identify the sender in all electronic messages. CC ID 13996 Data and Information Management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain nondisclosure agreements. CC ID 04536 Establish/Maintain Documentation Preventive
    Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 Communicate Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a use of information agreement. CC ID 06215 Establish/Maintain Documentation Preventive
    Include use limitations in the use of information agreement. CC ID 06244 Establish/Maintain Documentation Preventive
    Include disclosure requirements in the use of information agreement. CC ID 11735 Establish/Maintain Documentation Preventive
    Include information recipients in the use of information agreement. CC ID 06245 Establish/Maintain Documentation Preventive
    Include reporting out of scope use of information in the use of information agreement. CC ID 06246 Establish/Maintain Documentation Preventive
    Include disclosure of information in the use of information agreement. CC ID 11830 Establish/Maintain Documentation Preventive
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 Establish/Maintain Documentation Preventive
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 Establish/Maintain Documentation Preventive
    Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 Establish/Maintain Documentation Preventive
    Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 Establish/Maintain Documentation Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818
    [Table 1 describes the structure of the governance principles and lists the principles associated with each category. All principles should be applied, and applied concurrently. § 5 ¶ 3
    Governing bodies should ensure that they realize the described governance outcomes through intentionally implementing the practices. § 5 ¶ 6]
    Business Processes Preventive
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: limits of the decision-making authority are applied based on the associated level of risk, in particular where automated decision-making is used; § 6.8.3.2.2 ¶ 1 b)
    Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. § 4.2.2 ¶ 5]
    Process or Activity Preventive
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Process or Activity Preventive
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818
    [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: set the tone for the organization with respect to how the management of risk is to be approached; § 6.9.3.1 ¶ 2 a)
    To ensure that the organization is acting in a socially responsible way, the governing body should: assess how actions of individual members of the governing body influence social responsibility. § 6.10.3 ¶ 1 i)
    In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2
    Set the tone for the organization by behaving in the manner in which the organization and its personnel are expected to behave. Table 2 Column 2 Row 2 Bullet 4
    The governing body should steer the organizational strategy by means of: the organizational culture, including the cultural tone the governing body sets through its ethos; § 6.3.3.2.2 ¶ 2 a)]
    Process or Activity Preventive
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817
    [Ethical and effective leadership should be demonstrated in three areas: the functioning of the governing body; § 6.7.3.1 ¶ 4 a)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: pay attention to the dynamics of the governing body, including, for example, undue reliance on any one member for decision-making; § 6.8.3.2.1 ¶ 1 e)
    The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)]
    Process or Activity Preventive
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816
    [The governing body should: assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; § 4.3.2 ¶ 2 d)]
    Process or Activity Preventive
    Analyze the organizational culture. CC ID 12899 Process or Activity Preventive
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Process or Activity Detective
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Process or Activity Detective
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920
    [Ethical and effective leadership is demonstrated when the governing body: behaves in a manner consistent with the defined organizational values; § 6.7.3.1 ¶ 3 Bullet 2
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a)
    Within the governing body: The members of the governing body should demonstrate that they are behaving in a manner consistent with the organizational values. § 6.7.3.3 ¶ 1 a)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a)]
    Process or Activity Detective
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Behavior Preventive
    Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 Business Processes Preventive
    Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 Business Processes Preventive
    Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 Business Processes Preventive
    Include skill development in the analysis of the organizational culture. CC ID 12913 Behavior Preventive
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Behavior Preventive
    Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 Business Processes Preventive
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Behavior Preventive
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Behavior Preventive
    Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; § 6.5.3.2 ¶ 1 b) 2)
    When defining the organizational values, the governing body should ensure that: the governing body itself understands the consequences of unethical behaviour including bribery, fraud and corruption; § 6.1.3.3 ¶ 1 d)
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Process or Activity Corrective
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: meet compliance obligations; § 6.5.3.2 ¶ 1 d)
    Effective performance — The organization: remains in alignment with its policies and relevant stakeholder expectations. § 5 ¶ 2 a) 4)]
    Establish/Maintain Documentation Preventive
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788
    [In doing so, the governing body provides indications of the organization's governance maturity, among other insights. § 5 ¶ 8
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: § 6.4.3.3 ¶ 1
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. § 6.4.3.3 ¶ 1 g)]
    Communicate Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004 Business Processes Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815
    [{individual}{hold accountable} The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. § 6.5.3.1 ¶ 1
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: § 6.5.3.2 ¶ 1 b)
    Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: § 5 ¶ 7]
    Behavior Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630
    [Responsible stewardship — The organization: makes use of resources in a responsible manner; § 5 ¶ 2 b) 1)
    {procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)]
    Business Processes Preventive
    Establish, implement, and maintain an asset management policy. CC ID 15219 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the asset management policy. CC ID 16424 Business Processes Preventive
    Establish, implement, and maintain asset management procedures. CC ID 16748 Establish/Maintain Documentation Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729 Human Resources Management Preventive
    Define and prioritize the importance of each asset in the asset management program. CC ID 16837 Business Processes Preventive
    Include life cycle requirements in the security management program. CC ID 16392 Establish/Maintain Documentation Preventive
    Include program objectives in the asset management program. CC ID 14413 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement in the asset management program. CC ID 14412 Establish/Maintain Documentation Preventive
    Include compliance with applicable requirements in the asset management program. CC ID 14411 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain administrative controls over all assets. CC ID 16400 Business Processes Preventive
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Establish/Maintain Documentation Preventive
    Apply security controls to each level of the information classification standard. CC ID 01903 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 Establish/Maintain Documentation Preventive
    Define confidentiality controls. CC ID 01908 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the systems' availability level. CC ID 01905 Establish/Maintain Documentation Preventive
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Process or Activity Preventive
    Define integrity controls. CC ID 01909 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906 Establish/Maintain Documentation Preventive
    Define availability controls. CC ID 01911 Establish/Maintain Documentation Preventive
    Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 Communicate Preventive
    Classify assets according to the Asset Classification Policy. CC ID 07186 Establish Roles Preventive
    Classify virtual systems by type and purpose. CC ID 16332 Business Processes Preventive
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 Establish/Maintain Documentation Preventive
    Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 Establish Roles Preventive
    Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 Configuration Preventive
    Assign decomposed system components the same asset classification as the originating system. CC ID 06605 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an asset inventory. CC ID 06631 Business Processes Preventive
    Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 Establish/Maintain Documentation Preventive
    Include all account types in the Information Technology inventory. CC ID 13311 Establish/Maintain Documentation Preventive
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 Systems Design, Build, and Implementation Preventive
    Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 Data and Information Management Preventive
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Establish/Maintain Documentation Preventive
    Categorize all major applications according to the business information they process. CC ID 07182 Establish/Maintain Documentation Preventive
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Establish/Maintain Documentation Preventive
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Establish/Maintain Documentation Preventive
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Establish/Maintain Documentation Preventive
    Conduct environmental surveys. CC ID 00690 Physical and Environmental Protection Preventive
    Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a hardware asset inventory. CC ID 00691 Establish/Maintain Documentation Preventive
    Include network equipment in the Information Technology inventory. CC ID 00693 Establish/Maintain Documentation Preventive
    Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 Establish/Maintain Documentation Preventive
    Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 Process or Activity Preventive
    Include software in the Information Technology inventory. CC ID 00692 Establish/Maintain Documentation Preventive
    Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Establish/Maintain Documentation Preventive
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 Establish/Maintain Documentation Preventive
    Add inventoried assets to the asset register database, as necessary. CC ID 07051 Establish/Maintain Documentation Preventive
    Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 Monitor and Evaluate Occurrences Corrective
    Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 Monitor and Evaluate Occurrences Corrective
    Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 Establish/Maintain Documentation Preventive
    Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 Technical Security Preventive
    Link the authentication system to the asset inventory. CC ID 13718 Technical Security Preventive
    Record a unique name for each asset in the asset inventory. CC ID 16305 Data and Information Management Preventive
    Record the decommission date for applicable assets in the asset inventory. CC ID 14920 Establish/Maintain Documentation Preventive
    Record the status of information systems in the asset inventory. CC ID 16304 Data and Information Management Preventive
    Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 Data and Information Management Preventive
    Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 Establish/Maintain Documentation Preventive
    Include source code in the asset inventory. CC ID 14858 Records Management Preventive
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Human Resources Management Preventive
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Technical Security Detective
    Record the review date for applicable assets in the asset inventory. CC ID 14919 Establish/Maintain Documentation Preventive
    Record software license information for each asset in the asset inventory. CC ID 11736 Data and Information Management Preventive
    Record services for applicable assets in the asset inventory. CC ID 13733 Establish/Maintain Documentation Preventive
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Establish/Maintain Documentation Preventive
    Record the software version in the asset inventory. CC ID 12196 Establish/Maintain Documentation Preventive
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Establish/Maintain Documentation Preventive
    Record the authentication system in the asset inventory. CC ID 13724 Establish/Maintain Documentation Preventive
    Tag unsupported assets in the asset inventory. CC ID 13723 Establish/Maintain Documentation Preventive
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Establish/Maintain Documentation Preventive
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Establish/Maintain Documentation Preventive
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Establish/Maintain Documentation Preventive
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Establish/Maintain Documentation Preventive
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Establish/Maintain Documentation Preventive
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Establish/Maintain Documentation Preventive
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Data and Information Management Preventive
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Establish/Maintain Documentation Preventive
    Record rooms at external locations in the asset inventory. CC ID 16302 Data and Information Management Preventive
    Record the department associated with the asset in the asset inventory. CC ID 12084 Establish/Maintain Documentation Preventive
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Establish/Maintain Documentation Preventive
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Establish/Maintain Documentation Preventive
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Establish/Maintain Documentation Preventive
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Establish/Maintain Documentation Preventive
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Establish/Maintain Documentation Preventive
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Establish/Maintain Documentation Preventive
    Record trusted keys and certificates in the asset inventory. CC ID 15486 Data and Information Management Preventive
    Record cipher suites and protocols in the asset inventory. CC ID 15489 Data and Information Management Preventive
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Establish/Maintain Documentation Preventive
    Record the owner for applicable assets in the asset inventory. CC ID 06640 Establish/Maintain Documentation Preventive
    Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 Establish/Maintain Documentation Preventive
    Record all changes to assets in the asset inventory. CC ID 12190 Establish/Maintain Documentation Preventive
    Record cloud service derived data in the asset inventory. CC ID 13007 Establish/Maintain Documentation Preventive
    Include cloud service customer data in the asset inventory. CC ID 13006 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a software accountability policy. CC ID 00868 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software asset management procedures. CC ID 00895 Establish/Maintain Documentation Preventive
    Prevent users from disabling required software. CC ID 16417 Technical Security Preventive
    Establish, implement, and maintain software archives procedures. CC ID 00866 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software distribution procedures. CC ID 00894 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software license management procedures. CC ID 06639 Establish/Maintain Documentation Preventive
    Automate software license monitoring, as necessary. CC ID 07057 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain digital legacy procedures. CC ID 16524 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system redeployment program. CC ID 06276 Establish/Maintain Documentation Preventive
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 Testing Detective
    Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 Behavior Preventive
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Data and Information Management Preventive
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Acquisition/Sale of Assets or Services Preventive
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Establish/Maintain Documentation Preventive
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system disposal program. CC ID 14431 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain disposal procedures. CC ID 16513 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain asset sanitization procedures. CC ID 16511 Establish/Maintain Documentation Preventive
    Destroy systems in accordance with the system disposal program. CC ID 16457 Business Processes Preventive
    Approve the release of systems and waste material into the public domain. CC ID 16461 Business Processes Preventive
    Establish, implement, and maintain system destruction procedures. CC ID 16474 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system preventive maintenance program. CC ID 00885
    [The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: actively contribute to conserving and restoring these systems. § 6.11.3.1 ¶ 1 Bullet 2]
    Establish/Maintain Documentation Preventive
    Establish and maintain maintenance reports. CC ID 11749 Establish/Maintain Documentation Preventive
    Establish and maintain system inspection reports. CC ID 06346 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Establish/Maintain Documentation Preventive
    Include compliance requirements in the system maintenance policy. CC ID 14217 Establish/Maintain Documentation Preventive
    Include management commitment in the system maintenance policy. CC ID 14216 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Establish/Maintain Documentation Preventive
    Include the scope in the system maintenance policy. CC ID 14214 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Communicate Preventive
    Include the purpose in the system maintenance policy. CC ID 14187 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Communicate Preventive
    Establish, implement, and maintain a technology refresh plan. CC ID 13061 Establish/Maintain Documentation Preventive
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Physical and Environmental Protection Preventive
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Behavior Preventive
    Use system components only when third party support is available. CC ID 10644 Maintenance Preventive
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Maintenance Preventive
    Control and monitor all maintenance tools. CC ID 01432 Physical and Environmental Protection Detective
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Business Processes Preventive
    Control remote maintenance according to the system's asset classification. CC ID 01433 Technical Security Preventive
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Configuration Preventive
    Approve all remote maintenance sessions. CC ID 10615 Technical Security Preventive
    Log the performance of all remote maintenance. CC ID 13202 Log Management Preventive
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Technical Security Preventive
    Conduct offsite maintenance in authorized facilities. CC ID 16473 Maintenance Preventive
    Conduct maintenance with authorized personnel. CC ID 01434 Testing Detective
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Maintenance Preventive
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Maintenance Preventive
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Behavior Preventive
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Establish/Maintain Documentation Preventive
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Acquisition/Sale of Assets or Services Preventive
    Perform periodic maintenance according to organizational standards. CC ID 01435 Behavior Preventive
    Restart systems on a periodic basis. CC ID 16498 Maintenance Preventive
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Maintenance Preventive
    Employ dedicated systems during system maintenance. CC ID 12108 Technical Security Preventive
    Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 Technical Security Preventive
    Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 Human Resources Management Preventive
    Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 Physical and Environmental Protection Preventive
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203 Testing Detective
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Establish/Maintain Documentation Preventive
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Process or Activity Preventive
    Refrain from protecting physical assets when no longer required. CC ID 13484 Physical and Environmental Protection Corrective
    Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 Business Processes Preventive
    Establish, implement, and maintain an end-of-life management process. CC ID 16540 Establish/Maintain Documentation Preventive
    Dispose of hardware and software at their life cycle end. CC ID 06278 Business Processes Preventive
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Business Processes Preventive
    Establish, implement, and maintain disposal contracts. CC ID 12199 Establish/Maintain Documentation Preventive
    Include disposal procedures in disposal contracts. CC ID 13905 Establish/Maintain Documentation Preventive
    Remove asset tags prior to disposal of an asset. CC ID 12198 Business Processes Preventive
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Establish/Maintain Documentation Preventive
    Test for detrimental environmental factors after a system is disposed. CC ID 06938 Testing Detective
    Review each system's operational readiness. CC ID 06275 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain a data stewardship policy. CC ID 06657 Establish/Maintain Documentation Preventive
    Establish and maintain an unauthorized software list. CC ID 10601 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a customer service program. CC ID 00846 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853 Business Processes Preventive
    Include detection procedures in the Incident Management program. CC ID 00588 Establish/Maintain Documentation Preventive
    Analyze the incident response process following an incident response. CC ID 13179
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)]
    Investigate Detective
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Establish/Maintain Documentation Preventive
    Update the incident response procedures using the lessons learned. CC ID 01233
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a performance management standard. CC ID 01615
    [The governing body should oversee the organization's performance to ensure that it meets the governing body's intentions for, and expectations of, the organization, its ethical behaviour and its compliance obligations. § 6.4.1 ¶ 1
    Ethical and effective leadership should be demonstrated in three areas: the performance of the organization as a whole; § 6.7.3.1 ¶ 4 b)
    The governing body should oversee the organization's performance to ensure that it meets the governing body's intentions for, and expectations of, the organization, its ethical behaviour and its compliance obligations. Table 1 Column 4 Row 5
    Effective performance — The organization: performs as required; § 5 ¶ 2 a) 2)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain future system performance forecasting methods. CC ID 11775 Business Processes Preventive
    Use proactive performance management. CC ID 00937 Business Processes Detective
    Utilize resource availability management controls. CC ID 00940 Business Processes Detective
    Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679 Establish/Maintain Documentation Preventive
    Follow the maintenance schedule. CC ID 11791 Maintenance Preventive
    Establish, implement, and maintain rate limiting filters. CC ID 06883 Business Processes Preventive
    Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a cost management program. CC ID 13638 Establish/Maintain Documentation Preventive
    Identify and allocate departmental costs. CC ID 00871 Business Processes Detective
    Justify the system's cost and benefit. CC ID 00874
    [Issues of particular concern to a governing body are where the organization benefits but where the costs for that benefit are incurred by another party. These are sometimes referred to as "negative externalities" or "unpriced impacts" and can be both financial or non-financial in nature. In such cases, the governing body should account for these benefits. § 6.10.3 ¶ 2]
    Business Processes Detective
  • Privacy protection for information and data
    219
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data access procedures. CC ID 00414
    [The governing body should: ensure that all relevant stakeholders are able to access the reports and disclosures, as far as is reasonable, and are therefore suitably equipped with the information necessary to make informed assessments of the organization's past performance, current performance and performance over time. § 6.5.3.2 ¶ 2 Bullet 3]
    Establish/Maintain Documentation Preventive
    Allow data subjects to submit data requests. CC ID 16545 Process or Activity Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Data and Information Management Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Data and Information Management Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Data and Information Management Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Data and Information Management Preventive
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Data and Information Management Preventive
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Establish/Maintain Documentation Preventive
    Define what is to be included in a data access request. CC ID 08699 Establish/Maintain Documentation Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Business Processes Preventive
    Respond to data access requests in a timely manner. CC ID 00421 Behavior Preventive
    Delay responding to data access requests, as necessary. CC ID 15504 Data and Information Management Preventive
    Expedite the processing of data access requests, as necessary. CC ID 15496 Data and Information Management Preventive
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 Behavior Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Behavior Detective
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Business Processes Preventive
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Process or Activity Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Establish/Maintain Documentation Preventive
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Data and Information Management Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Data and Information Management Preventive
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Establish/Maintain Documentation Preventive
    Submit personal data removal requests in writing. CC ID 11973 Records Management Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Establish/Maintain Documentation Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Records Management Corrective
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Establish/Maintain Documentation Preventive
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Process or Activity Preventive
    Establish, implement, and maintain a personal data collection program. CC ID 06487
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Establish/Maintain Documentation Preventive
    Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 Data and Information Management Preventive
    Refrain from collecting personal data, as necessary. CC ID 15269 Data and Information Management Preventive
    Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 Business Processes Detective
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Establish/Maintain Documentation Preventive
    Use personal data for specified purposes. CC ID 11831 Data and Information Management Preventive
    Post the collection purpose. CC ID 00101 Establish/Maintain Documentation Preventive
    Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 Data and Information Management Preventive
    Document each individual's personal data collection consent preferences. CC ID 06945 Establish/Maintain Documentation Preventive
    Provide explicit consent that is clear and unambiguous. CC ID 00181 Data and Information Management Preventive
    Allow individuals to change their personal data collection consent preferences. CC ID 06946 Data and Information Management Preventive
    Adhere to each individual's personal data collection consent preferences. CC ID 06947 Data and Information Management Preventive
    Notify the data subject of the source of collected personal data. CC ID 00083 Behavior Preventive
    Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 Data and Information Management Preventive
    Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 Data and Information Management Preventive
    Establish and maintain a personal data definition. CC ID 00028 Establish/Maintain Documentation Preventive
    Include an individual's name in the personal data definition. CC ID 04710 Data and Information Management Preventive
    Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 Data and Information Management Preventive
    Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 Data and Information Management Preventive
    Include an individual's signature in the personal data definition. CC ID 04711 Data and Information Management Preventive
    Include an individual's date of birth in the personal data definition. CC ID 04770 Data and Information Management Preventive
    Include the number of children in the personal data definition. CC ID 13759 Establish/Maintain Documentation Preventive
    Include the individual's religion in the personal data definition. CC ID 13765 Establish/Maintain Documentation Preventive
    Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 Data and Information Management Preventive
    Include an individual's biometric data in the personal data definition. CC ID 04698 Data and Information Management Preventive
    Include an individual's photographic image in the personal data definition. CC ID 04779 Data and Information Management Preventive
    Include an individual's fingerprints in the personal data definition. CC ID 04689 Data and Information Management Preventive
    Include an individual's address in the personal data definition. CC ID 04687 Data and Information Management Preventive
    Include an individual's telephone number in the personal data definition. CC ID 04688 Data and Information Management Preventive
    Include an individual's fax number in the personal data definition. CC ID 07120 Data and Information Management Preventive
    Include an individual's political party affiliation in the personal data definition. CC ID 13764 Establish/Maintain Documentation Preventive
    Include an individual's license plate number in the personal data definition. CC ID 13763 Establish/Maintain Documentation Preventive
    Include an individual's financial account number in the personal data definition. CC ID 04692 Data and Information Management Preventive
    Include an individual's account balances in the personal data definition. CC ID 13770 Establish/Maintain Documentation Preventive
    Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 Data and Information Management Preventive
    Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 Data and Information Management Preventive
    Include an individual's logon credentials in the personal data definition. CC ID 13771 Establish/Maintain Documentation Preventive
    Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 Data and Information Management Preventive
    Include an individual's passport number in the personal data definition. CC ID 04713 Data and Information Management Preventive
    Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 Data and Information Management Preventive
    Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 Data and Information Management Preventive
    Include an individual's military identification number in the personal data definition. CC ID 13083 Establish/Maintain Documentation Preventive
    Include an individual's e-mail address in the personal data definition. CC ID 04696 Data and Information Management Preventive
    Include electronic signatures in the personal data definition. CC ID 04697 Data and Information Management Preventive
    Include an individual's payment card information in the personal data definition. CC ID 04751 Data and Information Management Preventive
    Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 Data and Information Management Preventive
    Include an individual's payment card service code in the personal data definition. CC ID 04753 Data and Information Management Preventive
    Include an individual's payment card expiration date in the personal data definition. CC ID 04755 Data and Information Management Preventive
    Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 Data and Information Management Preventive
    Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 Data and Information Management Preventive
    Include an individual's medical history in the personal data definition. CC ID 04701 Data and Information Management Preventive
    Include an individual's medical treatment in the personal data definition. CC ID 04702 Data and Information Management Preventive
    Include an individual's medical diagnosis in the personal data definition. CC ID 04703 Data and Information Management Preventive
    Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 Data and Information Management Preventive
    Include an individual's medical record numbers in the personal data definition. CC ID 07121 Data and Information Management Preventive
    Include an individual's health insurance information in the personal data definition. CC ID 04705 Data and Information Management Preventive
    Include an individual's health insurance policy number in the personal data definition. CC ID 04706 Data and Information Management Preventive
    Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 Data and Information Management Preventive
    Include an individual's education information in the personal data definition. CC ID 04714 Data and Information Management Preventive
    Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 Data and Information Management Preventive
    Include an individual's employment information in the personal data definition. CC ID 04715 Data and Information Management Preventive
    Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 Data and Information Management Preventive
    Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 Data and Information Management Preventive
    Include an individual's employment history in the personal data definition. CC ID 04716 Data and Information Management Preventive
    Include an individual's place of employment in the personal data definition. CC ID 04765 Data and Information Management Preventive
    Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 Data and Information Management Preventive
    Include an individual's property information in the personal data definition. CC ID 04780 Data and Information Management Preventive
    Include an individual's property title in the personal data definition. CC ID 04781 Data and Information Management Preventive
    Include an individual's vehicle registration in the personal data definition. CC ID 04782 Data and Information Management Preventive
    Include hardware asset identification information in the personal data definition. CC ID 07123 Data and Information Management Preventive
    Include MAC addresses in the personal data definition. CC ID 04778 Data and Information Management Preventive
    Include Internet Protocol addresses in the personal data definition. CC ID 04777 Data and Information Management Preventive
    Include asset serial numbers in the personal data definition. CC ID 07124 Data and Information Management Preventive
    Include Uniform Resource Locators in the personal data definition. CC ID 07125 Data and Information Management Preventive
    Refrain from including publicly available information in the personal data definition. CC ID 13084 Establish/Maintain Documentation Preventive
    Define specially restricted data. CC ID 00037 Data and Information Management Preventive
    Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 Data and Information Management Preventive
    Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 Data and Information Management Preventive
    Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 Data and Information Management Preventive
    Implement a nondiscrimination principle. CC ID 00081 Data and Information Management Preventive
    Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 Data and Information Management Preventive
    Preserve each individual's right to human dignity. CC ID 00082 Data and Information Management Preventive
    Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 Data and Information Management Preventive
    Employ a random number generator to create authenticators. CC ID 13782 Technical Security Preventive
    Collect Personal Identification Numbers with the individual's consent. CC ID 00059 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 Data and Information Management Preventive
    Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 Behavior Preventive
    Manage health data collection. CC ID 00050 Data and Information Management Preventive
    Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 Data and Information Management Preventive
    Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 Data and Information Management Preventive
    Collect Individually Identifiable Health Information for research. CC ID 00054 Data and Information Management Preventive
    Remove personal data before disclosing health data. CC ID 00055 Data and Information Management Preventive
    Give special attention to collecting children's data. CC ID 00038 Data and Information Management Preventive
    Use simple understandable language to collect information from children. CC ID 00039 Behavior Preventive
    Notify parents or legal representatives of what information is collected from children. CC ID 00040 Establish/Maintain Documentation Preventive
    Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 Data and Information Management Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Establish/Maintain Documentation Preventive
    Collect personal data directly from the data subject. CC ID 00011 Data and Information Management Preventive
    Create and manage user account aliases to maintain pseudonymity. CC ID 04549 Data and Information Management Preventive
    Provide unlinkability for users and resources. CC ID 04550 Data and Information Management Preventive
    Provide unobservability of users and resources. CC ID 04551 Technical Security Preventive
    Confirm the data quality of personal data collected from third parties. CC ID 13510 Investigate Detective
    Collect restricted data in a fair and lawful manner. CC ID 00010 Data and Information Management Preventive
    Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 Data and Information Management Preventive
    Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 Data and Information Management Preventive
    Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 Data and Information Management Preventive
    Collect personal data absent consent in order to make a disclosure. CC ID 13550 Data and Information Management Preventive
    Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 Data and Information Management Preventive
    Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 Data and Information Management Preventive
    Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 Data and Information Management Preventive
    Collect personal data absent consent for handling insurance claims. CC ID 13543 Data and Information Management Preventive
    Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 Data and Information Management Preventive
    Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 Data and Information Management Preventive
    Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 Data and Information Management Preventive
    Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 Data and Information Management Preventive
    Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 Data and Information Management Preventive
    Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 Data and Information Management Preventive
    Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 Data and Information Management Preventive
    Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 Data and Information Management Preventive
    Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 Data and Information Management Preventive
    Collect restricted data absent consent from publicly available information. CC ID 00019 Data and Information Management Preventive
    Collect restricted data absent consent when needed by law. CC ID 00020 Data and Information Management Preventive
    Collect personal data absent consent to create a credit report. CC ID 15287 Data and Information Management Preventive
    Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 Data and Information Management Preventive
    Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 Data and Information Management Preventive
    Collect the minimum amount of restricted data necessary. CC ID 00078 Data and Information Management Preventive
    Collect restricted data in a proper information framework. CC ID 00009 Data and Information Management Preventive
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 Data and Information Management Preventive
    Collect restricted data when required by law. CC ID 00031 Data and Information Management Preventive
    Collect restricted data to prevent life-threatening emergencies. CC ID 00032 Data and Information Management Preventive
    Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 Data and Information Management Preventive
    Collect restricted data for legal purposes. CC ID 00036 Data and Information Management Preventive
    Review the methods for collecting personal data, as necessary. CC ID 13511 Investigate Detective
    Provide the data subject with information about the data controller during the collection process. CC ID 00023 Establish/Maintain Documentation Preventive
    Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 Communicate Preventive
    Provide the data subject with the data collector's name and contact information. CC ID 00024 Establish/Maintain Documentation Preventive
    Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 Establish/Maintain Documentation Preventive
    Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361
    [{be within}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: are transparent but also within the limits of confidentiality; § 6.5.3.2 ¶ 1 f)]
    Establish/Maintain Documentation Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Data and Information Management Preventive
    Protect electronic messaging information. CC ID 12022 Technical Security Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Data and Information Management Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Configuration Preventive
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Testing Detective
    Store payment card data in secure chips, if possible. CC ID 13065 Configuration Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Configuration Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Technical Security Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Data and Information Management Preventive
    Log the disclosure of personal data. CC ID 06628 Log Management Preventive
    Log the modification of personal data. CC ID 11844 Log Management Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Technical Security Preventive
    Implement security measures to protect personal data. CC ID 13606 Technical Security Preventive
    Implement physical controls to protect personal data. CC ID 00355 Testing Preventive
    Limit data leakage. CC ID 00356 Data and Information Management Preventive
    Conduct personal data risk assessments. CC ID 00357 Testing Detective
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Business Processes Preventive
    Establish, implement, and maintain suspicious document procedures. CC ID 04852 Establish/Maintain Documentation Detective
    Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 Data and Information Management Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Data and Information Management Detective
    Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 Monitor and Evaluate Occurrences Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Investigate Detective
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Behavior Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Data and Information Management Detective
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Log Management Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Monitor and Evaluate Occurrences Corrective
    Log dates for account name changes or address changes. CC ID 04876 Log Management Detective
    Review accounts that are changed for additional user requests. CC ID 11846 Monitor and Evaluate Occurrences Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Data and Information Management Detective
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Acquisition/Sale of Assets or Services Preventive
    Search the Internet for evidence of data leakage. CC ID 10419 Process or Activity Detective
    Alert appropriate personnel when data leakage is detected. CC ID 14715 Process or Activity Preventive
    Review monitored websites for data leakage. CC ID 10593 Monitor and Evaluate Occurrences Detective
    Take appropriate action when a data leakage is discovered. CC ID 14716 Process or Activity Corrective
    Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465
    [The recognition that data can be a strategic asset (or liability) means that the governing body should: communicate the nature and extent of the organization's use of data as a demonstration of accountability for this resource. § 6.8.3.3 ¶ 1 e)]
    Communicate Preventive
    Establish, implement, and maintain data handling procedures. CC ID 11756 Establish/Maintain Documentation Preventive
    Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466
    [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1]
    Communicate Preventive
  • Records management
    15
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Records management CC ID 00902 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a data profiling program. CC ID 13992
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: effective data analytics are employed to correctly assess risk and risk interactions; § 6.9.3.4 ¶ 1 f)]
    Data and Information Management Preventive
    Establish, implement, and maintain an information management program. CC ID 14315
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Ensure data sets have the appropriate characteristics. CC ID 15000 Data and Information Management Detective
    Ensure data sets are complete, are accurate, and are relevant. CC ID 14999 Data and Information Management Detective
    Establish, implement, and maintain records management procedures. CC ID 11619 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data accuracy controls. CC ID 00921
    [To exercise effective oversight, the governing body should: assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. § 6.4.3.1 ¶ 1 d)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)]
    Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain data completeness controls. CC ID 11649
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)]
    Process or Activity Preventive
    Establish, implement, and maintain data processing integrity controls. CC ID 00923
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)]
    Establish Roles Preventive
    Compare each record's data input to its final form. CC ID 11813 Records Management Detective
    Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 Data and Information Management Preventive
    Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 Establish/Maintain Documentation Preventive
    Establish and maintain access controls for all records. CC ID 00371
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)]
    Records Management Preventive
  • Technical security
    46
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain an access control program. CC ID 11702 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Establish/Maintain Documentation Preventive
    Control access rights to organizational assets. CC ID 00004
    [{procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)]
    Technical Security Preventive
    Configure access control lists in accordance with organizational standards. CC ID 16465 Configuration Preventive
    Add all devices requiring access control to the Access Control List. CC ID 06264 Establish/Maintain Documentation Preventive
    Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 Technical Security Preventive
    Disallow application IDs from running as privileged users. CC ID 10050 Configuration Detective
    Define roles for information systems. CC ID 12454 Human Resources Management Preventive
    Define access needs for each role assigned to an information system. CC ID 12455 Human Resources Management Preventive
    Define access needs for each system component of an information system. CC ID 12456 Technical Security Preventive
    Define the level of privilege required for each system component of an information system. CC ID 12457 Technical Security Preventive
    Establish access rights based on least privilege. CC ID 01411 Technical Security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical Security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical Security Preventive
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Configuration Preventive
    Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 Technical Security Preventive
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Configuration Preventive
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Communicate Corrective
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical Security Preventive
    Establish, implement, and maintain session lock capabilities. CC ID 01417 Configuration Preventive
    Limit concurrent sessions according to account type. CC ID 01416 Configuration Preventive
    Establish session authenticity through Transport Layer Security. CC ID 01627 Technical Security Preventive
    Configure the "tlsverify" argument to organizational standards. CC ID 14460 Configuration Preventive
    Configure the "tlscacert" argument to organizational standards. CC ID 14521 Configuration Preventive
    Configure the "tlscert" argument to organizational standards. CC ID 14520 Configuration Preventive
    Configure the "tlskey" argument to organizational standards. CC ID 14519 Configuration Preventive
    Enable access control for objects and users on each system. CC ID 04553 Configuration Preventive
    Include all system components in the access control system. CC ID 11939 Technical Security Preventive
    Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 Process or Activity Preventive
    Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 Technical Security Preventive
    Enable attribute-based access control for objects and users on information systems. CC ID 16351 Technical Security Preventive
    Enable role-based access control for objects and users on information systems. CC ID 12458 Technical Security Preventive
    Include the objects and users subject to access control in the security policy. CC ID 11836 Establish/Maintain Documentation Preventive
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Establish Roles Preventive
    Enforce access restrictions for change control. CC ID 01428 Technical Security Preventive
    Enforce access restrictions for restricted data. CC ID 01921 Data and Information Management Preventive
    Permit a limited set of user actions absent identification and authentication. CC ID 04849 Technical Security Preventive
    Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 Testing Detective
    Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 Technical Security Preventive
    Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 Establish/Maintain Documentation Preventive
    Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 Establish/Maintain Documentation Preventive
    Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 Technical Security Preventive
    Display previous logon information in the logon banner. CC ID 01415 Configuration Preventive
    Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 Establish/Maintain Documentation Preventive
    Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 Technical Security Preventive
  • Third Party and supply chain oversight
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a supply chain management program. CC ID 11742 Establish/Maintain Documentation Preventive
    Document the organization's supply chain in the supply chain management program. CC ID 09958 Establish/Maintain Documentation Preventive
    Document supply chain dependencies in the supply chain management program. CC ID 08900
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)]
    Establish/Maintain Documentation Detective
Common Controls and
mandates by Type
226 Mandated Controls - bold    
70 Implied Controls - italic     2044 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
2340 Total
  • Acquisition/Sale of Assets or Services
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement automated audit tools. CC ID 04882 Monitoring and measurement Preventive
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Audits and risk management Corrective
    Refrain from using gifted mobile devices. CC ID 16460 Human Resources management Preventive
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861
    [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes and maintains adequate resourcing; § 6.9.3.2 ¶ 2 f)]
    Operational management Preventive
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Operational management Preventive
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Operational management Preventive
    Process product return requests. CC ID 11598 Acquisition or sale of facilities, technology, and services Corrective
    Refrain from returning products absent a return request authorization. CC ID 11599 Acquisition or sale of facilities, technology, and services Corrective
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Privacy protection for information and data Preventive
  • Actionable Reports or Measurements
    151
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797
    [{be appropriate}When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: outputs, outcomes and the processes to achieve the responsibilities are periodically reported and presented with evidence that actions taken are reasonable and appropriate; § 4.2.2 ¶ 2 d)
    The governing body should: report on the process and outcomes of assessments to relevant stakeholders (see 6.5.3). § 4.3.2 ¶ 2 e)
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: accountability through accurate and timely reporting on its performance and stewardship of resources; § 5 ¶ 2 c) 2)
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: accountability through accurate and timely reporting on its performance and stewardship of resources; § 5 ¶ 2 c) 2)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: § 6.5.3.2 ¶ 1 c)
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Leadership and high level objectives Preventive
    Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 Leadership and high level objectives Preventive
    Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 Leadership and high level objectives Preventive
    Include significant security risks in the Information Technology Plan status reports. CC ID 06939 Leadership and high level objectives Preventive
    Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 Leadership and high level objectives Preventive
    Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 Monitoring and measurement Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Monitoring and measurement Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Monitoring and measurement Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Monitoring and measurement Detective
    Report on the policies and controls that have been implemented by management. CC ID 01670 Monitoring and measurement Detective
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Monitoring and measurement Detective
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Monitoring and measurement Detective
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Monitoring and measurement Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Monitoring and measurement Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Monitoring and measurement Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Monitoring and measurement Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Monitoring and measurement Detective
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Monitoring and measurement Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Monitoring and measurement Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Monitoring and measurement Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Monitoring and measurement Detective
    Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 Monitoring and measurement Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Monitoring and measurement Detective
    Monitor compliance with the Quality Control system. CC ID 01023 Monitoring and measurement Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Monitoring and measurement Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Monitoring and measurement Preventive
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Monitoring and measurement Detective
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Monitoring and measurement Detective
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Monitoring and measurement Detective
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Monitoring and measurement Detective
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Monitoring and measurement Detective
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Monitoring and measurement Detective
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Monitoring and measurement Detective
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Monitoring and measurement Detective
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Monitoring and measurement Detective
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Monitoring and measurement Detective
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Monitoring and measurement Detective
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Monitoring and measurement Detective
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Monitoring and measurement Detective
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Monitoring and measurement Detective
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Monitoring and measurement Detective
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Monitoring and measurement Detective
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Monitoring and measurement Detective
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Monitoring and measurement Detective
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Monitoring and measurement Detective
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Monitoring and measurement Detective
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Monitoring and measurement Detective
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Monitoring and measurement Detective
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Monitoring and measurement Detective
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Monitoring and measurement Detective
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Monitoring and measurement Detective
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Monitoring and measurement Detective
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Monitoring and measurement Detective
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Monitoring and measurement Detective
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Monitoring and measurement Detective
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Monitoring and measurement Detective
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Monitoring and measurement Detective
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Monitoring and measurement Detective
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Monitoring and measurement Detective
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Monitoring and measurement Detective
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Monitoring and measurement Detective
    Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 Monitoring and measurement Preventive
    Establish, implement, and maintain waste management metrics. CC ID 16152 Monitoring and measurement Preventive
    Establish, implement, and maintain emissions management metrics. CC ID 16145 Monitoring and measurement Preventive
    Establish, implement, and maintain financial management metrics. CC ID 16749 Monitoring and measurement Preventive
    Report on the percentage of unique active user identifiers. CC ID 02074 Monitoring and measurement Detective
    Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 Monitoring and measurement Detective
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Monitoring and measurement Detective
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Monitoring and measurement Detective
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Monitoring and measurement Detective
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Monitoring and measurement Detective
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Monitoring and measurement Detective
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Monitoring and measurement Detective
    Report on the percentage of users with access to shared accounts. CC ID 04573 Monitoring and measurement Detective
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Monitoring and measurement Preventive
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Monitoring and measurement Detective
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Monitoring and measurement Detective
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Monitoring and measurement Detective
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Monitoring and measurement Detective
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Monitoring and measurement Detective
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Monitoring and measurement Detective
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Monitoring and measurement Detective
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Monitoring and measurement Detective
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Monitoring and measurement Detective
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Monitoring and measurement Detective
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Monitoring and measurement Detective
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Monitoring and measurement Detective
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Monitoring and measurement Detective
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Monitoring and measurement Detective
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Monitoring and measurement Detective
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Monitoring and measurement Detective
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Monitoring and measurement Detective
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Monitoring and measurement Detective
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Monitoring and measurement Detective
    Report on the mean time from patch availability to patch installation. CC ID 02114 Monitoring and measurement Detective
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Monitoring and measurement Detective
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Monitoring and measurement Detective
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Monitoring and measurement Detective
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Monitoring and measurement Detective
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Monitoring and measurement Detective
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Monitoring and measurement Detective
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Monitoring and measurement Detective
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Monitoring and measurement Detective
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Monitoring and measurement Detective
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Monitoring and measurement Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Monitoring and measurement Detective
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Monitoring and measurement Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Monitoring and measurement Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Monitoring and measurement Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Monitoring and measurement Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Monitoring and measurement Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Monitoring and measurement Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Monitoring and measurement Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Monitoring and measurement Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Monitoring and measurement Detective
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Monitoring and measurement Preventive
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Monitoring and measurement Preventive
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Monitoring and measurement Preventive
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Monitoring and measurement Preventive
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Monitoring and measurement Preventive
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Monitoring and measurement Preventive
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Monitoring and measurement Preventive
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Monitoring and measurement Preventive
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Monitoring and measurement Preventive
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Monitoring and measurement Preventive
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Monitoring and measurement Preventive
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Monitoring and measurement Preventive
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Monitoring and measurement Preventive
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Monitoring and measurement Preventive
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Monitoring and measurement Preventive
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: its assessment of the governance outcomes achieved. § 5 ¶ 7 Bullet 2
    Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3
    Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, risk management and compliance management as independent control functions; § 6.4.3.3 ¶ 2 Bullet 2]
    Monitoring and measurement Corrective
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 Audits and risk management Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Audits and risk management Preventive
    Include the date of the audit in the audit report. CC ID 07024 Audits and risk management Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Audits and risk management Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Audits and risk management Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Audits and risk management Preventive
    Disclose any audit irregularities in the audit report. CC ID 06995 Audits and risk management Preventive
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Audits and risk management Corrective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Audits and risk management Detective
    Measure policy compliance when reviewing the internal control framework. CC ID 06442
    [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)]
    Operational management Corrective
    Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 Acquisition or sale of facilities, technology, and services Preventive
  • Audits and Risk Management
    112
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Address operational anomalies within the incident management system. CC ID 11633 Monitoring and measurement Preventive
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Monitoring and measurement Preventive
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Monitoring and measurement Preventive
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Monitoring and measurement Preventive
    Manage supply chain audits. CC ID 01203 Audits and risk management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and risk management Preventive
    Rotate auditors, as necessary. CC ID 15589
    [Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. § 6.4.3.3 ¶ 3]
    Audits and risk management Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and risk management Preventive
    Review the external audit scope, as necessary. CC ID 01202 Audits and risk management Preventive
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and risk management Detective
    Review the external auditor's qualifications. CC ID 01197 Audits and risk management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and risk management Preventive
    Define what constitutes a threat to independence. CC ID 16824 Audits and risk management Preventive
    Determine if requested services create a threat to independence. CC ID 16823 Audits and risk management Detective
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and risk management Preventive
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and risk management Preventive
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and risk management Preventive
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and risk management Preventive
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and risk management Preventive
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and risk management Preventive
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and risk management Preventive
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and risk management Preventive
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and risk management Preventive
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and risk management Detective
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and risk management Preventive
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and risk management Detective
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and risk management Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and risk management Preventive
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and risk management Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Preventive
    Include the date of the audit in the representation letter. CC ID 16517 Audits and risk management Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and risk management Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and risk management Detective
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and risk management Preventive
    Audit in scope audit items and compliance documents. CC ID 06730 Audits and risk management Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and risk management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and risk management Detective
    Audit policies, standards, and procedures. CC ID 12927 Audits and risk management Preventive
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and risk management Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and risk management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and risk management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and risk management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and risk management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and risk management Detective
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and risk management Detective
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and risk management Detective
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and risk management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and risk management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and risk management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and risk management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and risk management Preventive
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 Audits and risk management Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and risk management Detective
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and risk management Preventive
    Review the subject matter expert's findings. CC ID 16559 Audits and risk management Detective
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 Audits and risk management Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and risk management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and risk management Preventive
    Include the justification for not following the applicable requirements in the audit report. CC ID 16822 Audits and risk management Preventive
    Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 Audits and risk management Preventive
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and risk management Preventive
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and risk management Detective
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and risk management Preventive
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and risk management Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and risk management Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and risk management Detective
    Review management's response to issues raised in past audit reports. CC ID 01149 Audits and risk management Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and risk management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and risk management Preventive
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and risk management Preventive
    Analyze the risk management strategy for addressing requirements. CC ID 12926 Audits and risk management Detective
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and risk management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and risk management Detective
    Address past incidents in the risk assessment program. CC ID 12743 Audits and risk management Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230
    [The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. § 6.9.1 ¶ 1
    The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. Table 1 Column 4 Row 10
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: a holistic view is taken by the organization, including consideration of all relevant types of risk; § 6.9.3.4 ¶ 1 a)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's risk landscape; § 6.3.3.1.1 ¶ 2 c)]
    Audits and risk management Preventive
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and risk management Preventive
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and risk management Preventive
    Review the risk profiles, as necessary. CC ID 16561 Audits and risk management Detective
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and risk management Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and risk management Preventive
    Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and risk management Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and risk management Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and risk management Preventive
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and risk management Preventive
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and risk management Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and risk management Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Preventive
    Conduct a Business Impact Analysis, as necessary. CC ID 01147 Audits and risk management Detective
    Analyze and quantify the risks to in scope systems and information. CC ID 00701 Audits and risk management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and risk management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and risk management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [{be dependent}{environmental system}{social system}The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: directly dependent; § 6.11.3.4 ¶ 1 Bullet 1
    {be independent}{environmental system}{social system}The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: not directly dependent but whose ability to be sustained will be affected by the governing body's decisions. § 6.11.3.4 ¶ 1 Bullet 2]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b)
    {be responsible}{be accurate}The governing body should ensure that the organizational risk framework, in respect to the management of risk: mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). § 6.9.3.2 ¶ 2 h)
    {positive impact}The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the organization's positive and negative impacts on these systems. § 6.11.3.3 ¶ 1 c)
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)
    {social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's impact on stakeholders; § 6.3.3.1.1 ¶ 2 h)
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and risk management Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and risk management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and risk management Detective
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 Audits and risk management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and risk management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and risk management Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and risk management Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707 Audits and risk management Preventive
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and risk management Preventive
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and risk management Preventive
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and risk management Preventive
    Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 Audits and risk management Preventive
    Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 Audits and risk management Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and risk management Preventive
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and risk management Detective
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and risk management Detective
    Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 Audits and risk management Preventive
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 Operational management Preventive
  • Behavior
    55
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Leadership and high level objectives Preventive
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: § 6.8.3.2.1 ¶ 1
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h)
    The governing body should steer the organizational strategy by means of: reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; § 6.3.3.2.2 ¶ 2 e)]
    Leadership and high level objectives Preventive
    Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 Leadership and high level objectives Preventive
    Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 Monitoring and measurement Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: consequences, such as sanctions, for the non-fulfilment of a responsibility or non-adherence to established parameters are enforceable. § 4.2.2 ¶ 2 e)]
    Monitoring and measurement Corrective
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Audits and risk management Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Audits and risk management Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119 Audits and risk management Preventive
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Audits and risk management Preventive
    Verify statements made by interviewees are correct. CC ID 16299 Audits and risk management Detective
    Explain the goals of the interview to the interviewee. CC ID 07189 Audits and risk management Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Audits and risk management Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Audits and risk management Preventive
    Use the risk taxonomy when managing risk. CC ID 12280 Audits and risk management Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g)
    To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: effective risk reporting and communication of risk are practised and promoted throughout the organization; § 6.9.3.4 ¶ 1 h)
    Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3
    {environmental system}{social system}The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the risks posed to the organization, and the organization's value generation model, by the natural environmental, social and economic systems within which it operates and by the governing body's decisions; § 6.11.3.4 ¶ 2 b)
    {environmental system}{social system}The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the risks posed to the natural environmental, social and economic systems by the organization, by the organization's value generation model and by the governing body's decisions. § 6.11.3.4 ¶ 2 c)]
    Audits and risk management Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Audits and risk management Preventive
    Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g)]
    Operational and Systems Continuity Preventive
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Human Resources management Preventive
    Delegate authority for specific processes, as necessary. CC ID 06780
    [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: § 4.2.2 ¶ 2
    {be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2
    The governing body should engage with strategic planning by: delegating as necessary; § 6.3.3.2.1 ¶ 1 b)
    The governing body should ensure that effective delegation is practised (see 4.2.2), as this is necessary for accountability. § 6.5.3.1 ¶ 2]
    Human Resources management Preventive
    Implement personnel supervisory practices. CC ID 00773 Human Resources management Preventive
    Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779
    [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: collaborative relationships with relevant stakeholders are maintained; § 6.6.3 ¶ 3 c)
    Ethical and effective leadership should be demonstrated in three areas: the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. § 6.7.3.1 ¶ 4 c)
    Within the organization's external context: The governing body should ensure that the organization treats stakeholders in a manner consistent with its organizational values. § 6.7.3.3 ¶ 1 c)
    In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the quality and nature of stakeholder relationships and effectiveness of stakeholder engagement; § 6.3.3.1.1 ¶ 2 g)
    When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. § 6.6.3 ¶ 2]
    Human Resources management Preventive
    Include management commitment in the occupational health and safety policy. CC ID 16264 Human Resources management Preventive
    Protect personnel from work-related intimidation. CC ID 07046 Human Resources management Preventive
    Include limitations on referrals for products and services in the Code of Conduct. CC ID 16719 Human Resources management Preventive
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [{be ethical}{be effective} Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. § 6.7.3.4 ¶ 3
    {be ethical}{be effective} Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. § 6.7.3.4 ¶ 3]
    Human Resources management Corrective
    Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 Human Resources management Preventive
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908
    [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: competence and probity in the manner in which it makes decisions. § 5 ¶ 2 c) 5)]
    Human Resources management Preventive
    Establish, implement, and maintain an ethical culture. CC ID 12781
    [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: an ethical culture; § 5 ¶ 2 c) 1)
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: fairness in the treatment of, and engagement with, stakeholders; § 5 ¶ 2 c) 3)]
    Human Resources management Preventive
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Human Resources management Preventive
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Human Resources management Preventive
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Human Resources management Preventive
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Human Resources management Preventive
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Human Resources management Preventive
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Human Resources management Preventive
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)]
    Operational management Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Operational management Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Operational management Preventive
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Operational management Preventive
    Include skill development in the analysis of the organizational culture. CC ID 12913 Operational management Preventive
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Operational management Preventive
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Operational management Preventive
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Operational management Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815
    [{individual}{hold accountable} The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. § 6.5.3.1 ¶ 1
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: § 6.5.3.2 ¶ 1 b)
    Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: § 5 ¶ 7]
    Operational management Preventive
    Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 Operational management Preventive
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Operational management Preventive
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Operational management Preventive
    Perform periodic maintenance according to organizational standards. CC ID 01435 Operational management Preventive
    Notify the complainant regarding any missing information in the take-down request. CC ID 09973 Acquisition or sale of facilities, technology, and services Preventive
    Respond to data access requests in a timely manner. CC ID 00421 Privacy protection for information and data Preventive
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 Privacy protection for information and data Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Detective
    Notify the data subject of the source of collected personal data. CC ID 00083 Privacy protection for information and data Preventive
    Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 Privacy protection for information and data Preventive
    Use simple understandable language to collect information from children. CC ID 00039 Privacy protection for information and data Preventive
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Privacy protection for information and data Detective
  • Business Processes
    167
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a reporting methodology program. CC ID 02072
    [The governing body should: set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; § 4.3.2 ¶ 2 c)
    The governing body should: determine the most appropriate reporting methodologies for the organization, given the expectations of its relevant stakeholders; § 6.5.3.2 ¶ 2 Bullet 1
    The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: reporting is coherent so that stakeholders can effectively assess the organization's governance arrangements (see 6.5.3). § 6.6.3 ¶ 3 f)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: report on historic actions and outcomes, as well as future intentions. § 6.5.3.2 ¶ 1 h)
    {be complete}{be understandable}{be responsive}{be accurate}{be timely}The governing body should: ensure that reported information and disclosed information are material, complete, understandable, responsive, accurate, balanced and timely; § 6.5.3.2 ¶ 2 Bullet 2]
    Leadership and high level objectives Preventive
    Use secure communication protocols for telecommunications. CC ID 16458 Leadership and high level objectives Preventive
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain an internal reporting program. CC ID 12409
    [{individual}To exercise effective oversight, the governing body should: require those to whom they have delegated to provide timely and accurate reports on all material aspects of the management of the organization; § 6.4.3.1 ¶ 1 a)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Leadership and high level objectives Preventive
    Include transactions and events as a part of internal reporting. CC ID 12413 Leadership and high level objectives Preventive
    Identify the material topics required to be reported on. CC ID 15654 Leadership and high level objectives Preventive
    Analyze the business environment in which the organization operates. CC ID 12798
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: § 5 ¶ 5
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; § 6.1.3.2 ¶ 1 a)
    Take steps to become appropriately informed of all aspects of the organization and the context within which it operates (such as legal, natural environment, social, economic, technical and personnel). Table 2 Column 2 Row 3 Bullet 1]
    Leadership and high level objectives Preventive
    Align assets with business functions and the business environment. CC ID 13681 Leadership and high level objectives Preventive
    Analyze the external environment in which the organization operates. CC ID 12799
    [Responsible stewardship — The organization: considers the global context; § 5 ¶ 2 b) 3)
    {social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e)]
    Leadership and high level objectives Preventive
    Include environmental requirements in the analysis of the external environment. CC ID 12965
    [While not defined as stakeholders, the natural environment and society as a whole should also be considered by the governing body in its decision-making because they affect or will be affected by the organization's activities. § 4.2.5 ¶ 2
    {legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Preventive
    Include regulatory requirements in the analysis of the external environment. CC ID 12964
    [{legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Preventive
    Include society in the analysis of the external environment. CC ID 12963
    [While not defined as stakeholders, the natural environment and society as a whole should also be considered by the governing body in its decision-making because they affect or will be affected by the organization's activities. § 4.2.5 ¶ 2
    {legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Preventive
    Include opportunities in the analysis of the external environment. CC ID 12954 Leadership and high level objectives Preventive
    Include third party relationships in the analysis of the external environment. CC ID 12952 Leadership and high level objectives Preventive
    Include industry forces in the analysis of the external environment. CC ID 12904
    [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)]
    Leadership and high level objectives Preventive
    Include threats in the analysis of the external environment. CC ID 12898
    [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: important issues including global threats that evolve over time (e.g. climate change); § 6.1.3.2 ¶ 1 c)]
    Leadership and high level objectives Preventive
    Include geopolitics in the analysis of the external environment. CC ID 12897 Leadership and high level objectives Preventive
    Include legal requirements in the analysis of the external environment. CC ID 12896 Leadership and high level objectives Preventive
    Include technology in the analysis of the external environment. CC ID 12837
    [{social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Preventive
    Include analyzing the market in the analysis of the external environment. CC ID 12836
    [{legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Preventive
    Conduct a context analysis to define objectives and strategies. CC ID 12864
    [Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to follow, including the parameters within which the organization is to do so. These expectations should be set mindfully and intentionally, considering the context within which the organization operates. § 6.7.3.1 ¶ 1
    {internal context} When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: § 6.3.3.1.1 ¶ 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Preventive
    Identify requirements that could affect achieving organizational objectives. CC ID 12828
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: commitments and obligations associated with organizational activities and value generation processes; § 5 ¶ 5 Bullet 6]
    Leadership and high level objectives Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826
    [New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: valuable opportunities are leveraged; § 6.8.3.4 ¶ 1 Bullet 2
    To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that issues and opportunities affecting stakeholder expectations are identified and articulated (see 6.9); § 6.10.3 ¶ 1 b)
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: organizational capabilities and opportunities. § 6.1.3.2 ¶ 1 e)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: potential opportunities for innovation. § 6.3.3.1.1 ¶ 2 k)
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: important issues including global threats that evolve over time (e.g. climate change); § 6.1.3.2 ¶ 1 c)]
    Leadership and high level objectives Preventive
    Prioritize organizational objectives. CC ID 09960
    [{social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1]
    Leadership and high level objectives Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Leadership and high level objectives Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Leadership and high level objectives Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Leadership and high level objectives Preventive
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [{member stakeholder}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: expectations of relevant stakeholders, particularly member and reference stakeholders; § 5 ¶ 5 Bullet 3
    {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1
    {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's identification of, and engagement with, relevant stakeholders (see 6.6); § 6.4.3.2 ¶ 1 e)
    The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. § 6.6.1 ¶ 1
    The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: § 6.6.3 ¶ 3
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that the wider organizational stakeholders are considered in the organization's use of information technology, particularly as it relates to human capital. § 6.8.3.4 ¶ 2 f)
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: stakeholders; § 6.9.3.2 ¶ 2 d) 1)
    {stakeholder engagement process}To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); § 6.10.3 ¶ 1 a)
    The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. Table 1 Column 4 Row 7
    {member stakeholder}{reference stakeholder}Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: member, reference and other relevant stakeholder expectations; § 6.1.3.2 ¶ 1 d)
    The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: relevant stakeholder expectations (see 6.6 and 6.10); § 6.11.3.1 ¶ 1 Bullet 1
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: relevant stakeholder expectations; § 6.3.3.1.1 ¶ 2 j)
    Effective performance — The organization: remains in alignment with its policies and relevant stakeholder expectations. § 5 ¶ 2 a) 4)
    Responsible stewardship — The organization: engenders the trust and confidence of the communities within which it operates, and beyond. § 5 ¶ 2 b) 5)
    A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: understanding and articulating the opposing perspectives; § 6.7.3.4 ¶ 2 b)
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Preventive
    Enforce a continuous Quality Control system. CC ID 01005 Leadership and high level objectives Detective
    Correct errors and deficiencies in a timely manner. CC ID 13501
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)]
    Leadership and high level objectives Corrective
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Leadership and high level objectives Detective
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Leadership and high level objectives Detective
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688
    [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1
    The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: identification of all resources involved in the model; § 6.2.3.1 ¶ 4 a)
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the relevant external systems on which the organization depends; § 6.11.3.3 ¶ 1 a)]
    Leadership and high level objectives Preventive
    Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)]
    Leadership and high level objectives Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Leadership and high level objectives Preventive
    Align the reporting methodology with the decision management strategy. CC ID 15659 Leadership and high level objectives Preventive
    Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 Leadership and high level objectives Corrective
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)]
    Leadership and high level objectives Preventive
    Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492
    [Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving governance environment. § 4.3.2 ¶ 1
    {individual}The governing body should steer the organizational strategy by means of: monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; § 6.3.3.2.2 ¶ 2 g)]
    Leadership and high level objectives Preventive
    Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 Leadership and high level objectives Preventive
    Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 Leadership and high level objectives Preventive
    Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 Leadership and high level objectives Preventive
    Attach the required information to each funds transfer. CC ID 16756 Leadership and high level objectives Preventive
    Verify all required information is attached to each funds transfer. CC ID 16755 Leadership and high level objectives Detective
    Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 Leadership and high level objectives Preventive
    Refrain from setting up anonymous financial accounts. CC ID 16721 Leadership and high level objectives Preventive
    Identify and maintain positions in financial accounts. CC ID 16751 Leadership and high level objectives Preventive
    Supplement financial resources, as necessary. CC ID 16685 Leadership and high level objectives Preventive
    Limit the types of assets accepted as collateral. CC ID 16602 Leadership and high level objectives Preventive
    Avoid the use of concentrated holdings of assets. CC ID 16651 Leadership and high level objectives Preventive
    Establish, implement, and maintain a securities trading program. CC ID 16626 Leadership and high level objectives Preventive
    Include investment information in approval requests for investments. CC ID 16590 Leadership and high level objectives Preventive
    Review and approve lending policies. CC ID 16607 Leadership and high level objectives Preventive
    Establish, implement, and maintain margin systems. CC ID 16601 Leadership and high level objectives Preventive
    Establish, implement, and maintain capital adequacy measures. CC ID 16568 Leadership and high level objectives Preventive
    Implement a fraud detection system. CC ID 13081 Monitoring and measurement Preventive
    Approve the system security plan. CC ID 14241 Monitoring and measurement Preventive
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 Monitoring and measurement Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Monitoring and measurement Detective
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Monitoring and measurement Preventive
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Monitoring and measurement Preventive
    Establish, implement, and maintain a physical environment metrics program. CC ID 02063 Monitoring and measurement Preventive
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Monitoring and measurement Preventive
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Monitoring and measurement Preventive
    Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 Monitoring and measurement Preventive
    Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Monitoring and measurement Preventive
    Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 Monitoring and measurement Preventive
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Monitoring and measurement Preventive
    Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 Monitoring and measurement Preventive
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Monitoring and measurement Preventive
    Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 Monitoring and measurement Preventive
    Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 Monitoring and measurement Preventive
    Align corrective actions with the level of environmental impact. CC ID 15193 Monitoring and measurement Preventive
    Identify personnel who should attend the closing meeting. CC ID 15261 Audits and risk management Preventive
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Audits and risk management Preventive
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Audits and risk management Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Audits and risk management Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Audits and risk management Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Audits and risk management Preventive
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Audits and risk management Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Audits and risk management Corrective
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Audits and risk management Preventive
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Audits and risk management Detective
    Integrate the risk management program with the organization's business activities. CC ID 13661
    [The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all organizational activities. § 6.9.3.2 ¶ 1
    In overseeing risk management, the governing body should specifically assure itself that risk management is integrated into all organizational activities by seeking evidence that, for example: § 6.9.3.4 ¶ 2]
    Audits and risk management Preventive
    Integrate the risk management program into daily business decision-making. CC ID 13659
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; § 6.9.3.4 ¶ 1 g)
    The governing body should ensure that the organizational risk framework, in respect to the management of risk: guides decision-making behaviours and the impact of leadership actions, inactions or omissions on those behaviours; § 6.9.3.2 ¶ 2 b)]
    Audits and risk management Preventive
    Include regular updating in the risk management system. CC ID 14990 Audits and risk management Preventive
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Audits and risk management Preventive
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Audits and risk management Preventive
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 Audits and risk management Preventive
    Approve the threat and risk classification scheme. CC ID 15693 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Audits and risk management Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Audits and risk management Preventive
    Review the Business Impact Analysis, as necessary. CC ID 12774 Audits and risk management Preventive
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 Audits and risk management Preventive
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Audits and risk management Preventive
    Evaluate the cyber insurance market. CC ID 12695 Audits and risk management Preventive
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Audits and risk management Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Audits and risk management Preventive
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Human Resources management Preventive
    Place Information Technology operations in a position to support the business model. CC ID 00766 Human Resources management Preventive
    Review organizational personnel successes. CC ID 00767 Human Resources management Preventive
    Evaluate the staffing requirements regularly. CC ID 00775 Human Resources management Detective
    Establish, implement, and maintain an occupational health and safety management system. CC ID 16201 Human Resources management Preventive
    Involve interested personnel and affected parties in occupational health and safety management system processes. CC ID 16274 Human Resources management Preventive
    Refrain from loaning mobile devices to unauthorized personnel. CC ID 15218 Human Resources management Preventive
    Establish, implement, and maintain performance reviews. CC ID 14777
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)]
    Human Resources management Detective
    Conduct staff performance reviews, as necessary. CC ID 07205
    [{individual}The governing body should steer the organizational strategy by means of: monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; § 6.3.3.2.2 ¶ 2 g)]
    Human Resources management Detective
    Refrain from practicing false advertising. CC ID 14253 Human Resources management Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806
    [To ensure that the organization is acting in a socially responsible way, the governing body should: steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); § 6.10.3 ¶ 1 f)
    Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5]
    Human Resources management Preventive
    Respond to ethics complaints of ethics violations. CC ID 11497 Human Resources management Corrective
    Establish, implement, and maintain a positive information control environment. CC ID 00813
    [The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. § 6.7.1 ¶ 1
    Ethical and effective leadership should be demonstrated in three areas: § 6.7.3.1 ¶ 4
    The governing body should demonstrate effective leadership across all areas. § 6.7.3.2 ¶ 1
    The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. Table 1 Column 4 Row 8
    In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2
    Ethical leadership results in an organizational context and culture that: provides increased certainty, which in turn, creates reputational value. § 6.7.3.3 ¶ 3 Bullet 5
    {be responsible}{be ethical} The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. § 6.8.3.1 ¶ 2
    {be ethical}New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: data are used ethically; § 6.8.3.4 ¶ 1 Bullet 1
    The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; § 6.9.3.2 ¶ 2 a)
    Ethical leadership results in an organizational context and culture that: assists in reconciling strategic dilemmas by creating organizational alignment through the integration of opposites; § 6.7.3.3 ¶ 3 Bullet 2
    Ethical leadership results in an organizational context and culture that: provides the individuals of an organization with a collective sense of belonging; § 6.7.3.3 ¶ 3 Bullet 1]
    Operational management Preventive
    Define the scope for the internal control framework. CC ID 16325 Operational management Preventive
    Review the relevance of information supporting internal controls. CC ID 12420 Operational management Detective
    Assign resources to implement the internal control framework. CC ID 00816
    [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: required resources are available; § 4.2.2 ¶ 2 b)
    The governing body should steer the organizational strategy by means of: decision-making, specifically, the strategic deployment of resources. § 6.3.3.2.2 ¶ 2 j)
    {procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)]
    Operational management Preventive
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415
    [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)]
    Operational management Preventive
    Leverage actionable information to support internal controls. CC ID 12414 Operational management Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Preventive
    Establish, implement, and maintain information security procedures. CC ID 12006 Operational management Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Operational management Preventive
    Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 Operational management Preventive
    Establish, implement, and maintain information sharing agreements. CC ID 15645 Operational management Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Operational management Preventive
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Operational management Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818
    [Table 1 describes the structure of the governance principles and lists the principles associated with each category. All principles should be applied, and applied concurrently. § 5 ¶ 3
    Governing bodies should ensure that they realize the described governance outcomes through intentionally implementing the practices. § 5 ¶ 6]
    Operational management Preventive
    Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 Operational management Preventive
    Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 Operational management Preventive
    Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 Operational management Preventive
    Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 Operational management Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004 Operational management Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630
    [Responsible stewardship — The organization: makes use of resources in a responsible manner; § 5 ¶ 2 b) 1)
    {procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)]
    Operational management Preventive
    Include coordination amongst entities in the asset management policy. CC ID 16424 Operational management Preventive
    Define and prioritize the importance of each asset in the asset management program. CC ID 16837 Operational management Preventive
    Establish, implement, and maintain administrative controls over all assets. CC ID 16400 Operational management Preventive
    Classify virtual systems by type and purpose. CC ID 16332 Operational management Preventive
    Establish, implement, and maintain an asset inventory. CC ID 06631 Operational management Preventive
    Destroy systems in accordance with the system disposal program. CC ID 16457 Operational management Preventive
    Approve the release of systems and waste material into the public domain. CC ID 16461 Operational management Preventive
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Operational management Preventive
    Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 Operational management Preventive
    Dispose of hardware and software at their life cycle end. CC ID 06278 Operational management Preventive
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Operational management Preventive
    Remove asset tags prior to disposal of an asset. CC ID 12198 Operational management Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853 Operational management Preventive
    Establish, implement, and maintain future system performance forecasting methods. CC ID 11775 Operational management Preventive
    Use proactive performance management. CC ID 00937 Operational management Detective
    Utilize resource availability management controls. CC ID 00940 Operational management Detective
    Establish, implement, and maintain rate limiting filters. CC ID 06883 Operational management Preventive
    Identify and allocate departmental costs. CC ID 00871 Operational management Detective
    Justify the system's cost and benefit. CC ID 00874
    [Issues of particular concern to a governing body are where the organization benefits but where the costs for that benefit are incurred by another party. These are sometimes referred to as "negative externalities" or "unpriced impacts" and can be both financial or non-financial in nature. In such cases, the governing body should account for these benefits. § 6.10.3 ¶ 2]
    Operational management Detective
    Establish, implement, and maintain a consumer complaint management program. CC ID 04570
    [Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5]
    Acquisition or sale of facilities, technology, and services Preventive
    Document consumer complaints. CC ID 13903 Acquisition or sale of facilities, technology, and services Preventive
    Include complete information in the take-down request. CC ID 09965 Acquisition or sale of facilities, technology, and services Detective
    Include the complainant's contact information in the take-down request. CC ID 09966 Acquisition or sale of facilities, technology, and services Detective
    Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967 Acquisition or sale of facilities, technology, and services Detective
    Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968 Acquisition or sale of facilities, technology, and services Detective
    Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969 Acquisition or sale of facilities, technology, and services Detective
    Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970 Acquisition or sale of facilities, technology, and services Preventive
    Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971 Acquisition or sale of facilities, technology, and services Detective
    Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972 Acquisition or sale of facilities, technology, and services Detective
    Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974 Acquisition or sale of facilities, technology, and services Detective
    Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978 Acquisition or sale of facilities, technology, and services Preventive
    Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979 Acquisition or sale of facilities, technology, and services Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Preventive
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Privacy protection for information and data Preventive
    Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 Privacy protection for information and data Detective
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Privacy protection for information and data Preventive
  • Communicate
    94
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Leadership and high level objectives Preventive
    Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 Leadership and high level objectives Preventive
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Leadership and high level objectives Preventive
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Leadership and high level objectives Preventive
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Leadership and high level objectives Preventive
    Disseminate and communicate internal controls with supply chain members. CC ID 12416 Leadership and high level objectives Preventive
    Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; § 6.5.3.2 ¶ 1 b) 2)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the way in which the organization's performance was achieved and whether this performance was reasonable given the organization's changing context governance policies, including organizational values; § 6.5.3.2 ¶ 1 c) 2)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain an external reporting program. CC ID 12876 Leadership and high level objectives Preventive
    Provide identifying information about the organization to the responsible party. CC ID 16715 Leadership and high level objectives Preventive
    Prioritize material topics used in reporting. CC ID 15678 Leadership and high level objectives Preventive
    Include time requirements in the external reporting program. CC ID 16566 Leadership and high level objectives Preventive
    Include reporting to governing bodies in the external reporting plan. CC ID 12923 Leadership and high level objectives Preventive
    Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 Leadership and high level objectives Preventive
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Leadership and high level objectives Preventive
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607
    [The governing body should ensure that an overarching value generation model is determined for the organization and is appropriately communicated. § 6.2.3.1 ¶ 1
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)]
    Leadership and high level objectives Preventive
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585
    [The governing body should ensure that the organizational purpose and organizational values and their centrality are effectively communicated throughout the organization and are available to the organization's stakeholders. § 6.1.3.4 ¶ 2
    The governing body should ensure that: the organizational purpose is available to all stakeholders and reflected in the constituting documents where possible; § 6.1.3.2 ¶ 2 Bullet 2
    The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)
    To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; § 6.10.3 ¶ 1 d)]
    Leadership and high level objectives Preventive
    Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191
    [To ensure that the organization is acting in a socially responsible way, the governing body should: report the organization's social responsibility objectives clearly and transparently so that stakeholders can understand these objectives, how they are being met and what performance is being achieved against them, as well as provide the necessary evidence to support such claims; § 6.10.3 ¶ 1 h)]
    Leadership and high level objectives Preventive
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Leadership and high level objectives Preventive
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Leadership and high level objectives Preventive
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Leadership and high level objectives Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Leadership and high level objectives Corrective
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Leadership and high level objectives Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Leadership and high level objectives Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Leadership and high level objectives Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Leadership and high level objectives Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901
    [Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: on the way it has implemented the key aspects of practices in this document and any other practices used to apply the principles; § 5 ¶ 7 Bullet 1]
    Leadership and high level objectives Preventive
    Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)]
    Leadership and high level objectives Preventive
    Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 Leadership and high level objectives Preventive
    Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 Leadership and high level objectives Preventive
    Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 Leadership and high level objectives Preventive
    Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 Leadership and high level objectives Preventive
    Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991
    [Be open about decisions and activities that affect the natural environment, society and the economy, and be willing to communicate these in a clear, accurate, timely, honest and complete manner. Table 2 Column 2 Row 4 Bullet 1]
    Leadership and high level objectives Preventive
    Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 Leadership and high level objectives Preventive
    Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 Leadership and high level objectives Preventive
    Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 Leadership and high level objectives Preventive
    Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 Leadership and high level objectives Preventive
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Leadership and high level objectives Preventive
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Leadership and high level objectives Preventive
    Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 Monitoring and measurement Corrective
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Monitoring and measurement Preventive
    Delay the reporting of incident management metrics, as necessary. CC ID 15501 Monitoring and measurement Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Audits and risk management Preventive
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Audits and risk management Preventive
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Audits and risk management Preventive
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Audits and risk management Preventive
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Audits and risk management Preventive
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Audits and risk management Preventive
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Audits and risk management Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Audits and risk management Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Audits and risk management Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Audits and risk management Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633
    [Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, risk management and compliance management as independent control functions; § 6.4.3.3 ¶ 2 Bullet 2]
    Audits and risk management Preventive
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Audits and risk management Preventive
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300
    [{social context}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the impact the organization has had, and anticipates having, on the resources it uses and the natural environment, social and economic context within which it operates; § 6.5.3.2 ¶ 1 c) 3)
    The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: reporting on the extent of the organization's impact on these resources and the impact of these resources on one another. § 6.2.3.1 ¶ 4 c)
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Audits and risk management Preventive
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 Audits and risk management Preventive
    Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 Audits and risk management Preventive
    Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 Audits and risk management Preventive
    Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 Audits and risk management Preventive
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Audits and risk management Preventive
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Audits and risk management Preventive
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Audits and risk management Preventive
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Technical security Corrective
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Operational and Systems Continuity Preventive
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Human Resources management Preventive
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Human Resources management Preventive
    Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 Human Resources management Preventive
    Disseminate and communicate the occupational health and safety policy to interested personnel and affected parties. CC ID 16270 Human Resources management Preventive
    Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 Human Resources management Preventive
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 Human Resources management Preventive
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858
    [Disclose actual, potential or perceived conflicts of interest at the earliest opportunity and manage such conflicts appropriately. Table 2 Column 2 Row 2 Bullet 2]
    Human Resources management Preventive
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Human Resources management Preventive
    Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 Operational management Preventive
    Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)]
    Operational management Preventive
    Share security information with interested personnel and affected parties. CC ID 11732 Operational management Preventive
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Operational management Preventive
    Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 Operational management Preventive
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Operational management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Operational management Preventive
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Operational management Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Operational management Preventive
    Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 Operational management Preventive
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788
    [In doing so, the governing body provides indications of the organization's governance maturity, among other insights. § 5 ¶ 8
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: § 6.4.3.3 ¶ 1
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. § 6.4.3.3 ¶ 1 g)]
    Operational management Preventive
    Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 Operational management Preventive
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Operational management Preventive
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Operational management Preventive
    Notify the complainant about their rights after receiving a complaint. CC ID 16794 Acquisition or sale of facilities, technology, and services Preventive
    Post contact information in an easily seen location at facilities. CC ID 13812 Acquisition or sale of facilities, technology, and services Preventive
    Provide users a list of the available dispute resolution bodies. CC ID 13814 Acquisition or sale of facilities, technology, and services Preventive
    Post the dispute resolution body's contact information on the organization's website. CC ID 13811 Acquisition or sale of facilities, technology, and services Preventive
    Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795 Acquisition or sale of facilities, technology, and services Preventive
    Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 Privacy protection for information and data Preventive
    Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465
    [The recognition that data can be a strategic asset (or liability) means that the governing body should: communicate the nature and extent of the organization's use of data as a demonstration of accountability for this resource. § 6.8.3.3 ¶ 1 e)]
    Privacy protection for information and data Preventive
    Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466
    [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1]
    Privacy protection for information and data Preventive
  • Configuration
    21
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Monitoring and measurement Preventive
    Configure access control lists in accordance with organizational standards. CC ID 16465 Technical security Preventive
    Disallow application IDs from running as privileged users. CC ID 10050 Technical security Detective
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Technical security Preventive
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Technical security Preventive
    Establish, implement, and maintain session lock capabilities. CC ID 01417 Technical security Preventive
    Limit concurrent sessions according to account type. CC ID 01416 Technical security Preventive
    Configure the "tlsverify" argument to organizational standards. CC ID 14460 Technical security Preventive
    Configure the "tlscacert" argument to organizational standards. CC ID 14521 Technical security Preventive
    Configure the "tlscert" argument to organizational standards. CC ID 14520 Technical security Preventive
    Configure the "tlskey" argument to organizational standards. CC ID 14519 Technical security Preventive
    Enable access control for objects and users on each system. CC ID 04553 Technical security Preventive
    Display previous logon information in the logon banner. CC ID 01415 Technical security Preventive
    Issue devices with secure configurations to individuals traveling to locations deemed to be of risk. CC ID 10598 Human Resources management Preventive
    Automate threat assessments, as necessary. CC ID 06877 Operational management Preventive
    Automate vulnerability management, as necessary. CC ID 11730 Operational management Preventive
    Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 Operational management Preventive
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Operational management Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Preventive
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Preventive
  • Data and Information Management
    179
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Leadership and high level objectives Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Leadership and high level objectives Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Leadership and high level objectives Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Leadership and high level objectives Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Leadership and high level objectives Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Leadership and high level objectives Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Leadership and high level objectives Preventive
    Classify the value of information in the information classification standard. CC ID 11995 Leadership and high level objectives Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Leadership and high level objectives Preventive
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Leadership and high level objectives Preventive
    Address Information Security during the business planning processes. CC ID 06495 Leadership and high level objectives Preventive
    Include valuation models in the margin system. CC ID 16663 Leadership and high level objectives Preventive
    Include procedures for collecting price data in the margin system. CC ID 16662 Leadership and high level objectives Preventive
    Include reliable sources for price data in the margin system. CC ID 16661 Leadership and high level objectives Preventive
    Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 Leadership and high level objectives Preventive
    Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 Leadership and high level objectives Preventive
    Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 Leadership and high level objectives Preventive
    Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 Leadership and high level objectives Preventive
    Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 Leadership and high level objectives Preventive
    Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 Leadership and high level objectives Preventive
    Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 Leadership and high level objectives Preventive
    Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 Leadership and high level objectives Preventive
    Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 Leadership and high level objectives Preventive
    Include account information In the recordkeeping system for securities transactions. CC ID 16632 Leadership and high level objectives Preventive
    Include data quality in the risk management strategies. CC ID 15308 Audits and risk management Preventive
    Enforce access restrictions for restricted data. CC ID 01921 Technical security Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Preventive
    Identify the sender in all electronic messages. CC ID 13996 Operational management Preventive
    Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 Operational management Preventive
    Record a unique name for each asset in the asset inventory. CC ID 16305 Operational management Preventive
    Record the status of information systems in the asset inventory. CC ID 16304 Operational management Preventive
    Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 Operational management Preventive
    Record software license information for each asset in the asset inventory. CC ID 11736 Operational management Preventive
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Operational management Preventive
    Record rooms at external locations in the asset inventory. CC ID 16302 Operational management Preventive
    Record trusted keys and certificates in the asset inventory. CC ID 15486 Operational management Preventive
    Record cipher suites and protocols in the asset inventory. CC ID 15489 Operational management Preventive
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Operational management Preventive
    Establish, implement, and maintain a data profiling program. CC ID 13992
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: effective data analytics are employed to correctly assess risk and risk interactions; § 6.9.3.4 ¶ 1 f)]
    Records management Preventive
    Ensure data sets have the appropriate characteristics. CC ID 15000 Records management Detective
    Ensure data sets are complete, are accurate, and are relevant. CC ID 14999 Records management Detective
    Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 Records management Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Privacy protection for information and data Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Preventive
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Privacy protection for information and data Preventive
    Delay responding to data access requests, as necessary. CC ID 15504 Privacy protection for information and data Preventive
    Expedite the processing of data access requests, as necessary. CC ID 15496 Privacy protection for information and data Preventive
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Privacy protection for information and data Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Preventive
    Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 Privacy protection for information and data Preventive
    Refrain from collecting personal data, as necessary. CC ID 15269 Privacy protection for information and data Preventive
    Use personal data for specified purposes. CC ID 11831 Privacy protection for information and data Preventive
    Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 Privacy protection for information and data Preventive
    Provide explicit consent that is clear and unambiguous. CC ID 00181 Privacy protection for information and data Preventive
    Allow individuals to change their personal data collection consent preferences. CC ID 06946 Privacy protection for information and data Preventive
    Adhere to each individual's personal data collection consent preferences. CC ID 06947 Privacy protection for information and data Preventive
    Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 Privacy protection for information and data Preventive
    Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 Privacy protection for information and data Preventive
    Include an individual's name in the personal data definition. CC ID 04710 Privacy protection for information and data Preventive
    Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 Privacy protection for information and data Preventive
    Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 Privacy protection for information and data Preventive
    Include an individual's signature in the personal data definition. CC ID 04711 Privacy protection for information and data Preventive
    Include an individual's date of birth in the personal data definition. CC ID 04770 Privacy protection for information and data Preventive
    Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 Privacy protection for information and data Preventive
    Include an individual's biometric data in the personal data definition. CC ID 04698 Privacy protection for information and data Preventive
    Include an individual's photographic image in the personal data definition. CC ID 04779 Privacy protection for information and data Preventive
    Include an individual's fingerprints in the personal data definition. CC ID 04689 Privacy protection for information and data Preventive
    Include an individual's address in the personal data definition. CC ID 04687 Privacy protection for information and data Preventive
    Include an individual's telephone number in the personal data definition. CC ID 04688 Privacy protection for information and data Preventive
    Include an individual's fax number in the personal data definition. CC ID 07120 Privacy protection for information and data Preventive
    Include an individual's financial account number in the personal data definition. CC ID 04692 Privacy protection for information and data Preventive
    Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 Privacy protection for information and data Preventive
    Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 Privacy protection for information and data Preventive
    Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 Privacy protection for information and data Preventive
    Include an individual's passport number in the personal data definition. CC ID 04713 Privacy protection for information and data Preventive
    Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 Privacy protection for information and data Preventive
    Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 Privacy protection for information and data Preventive
    Include an individual's e-mail address in the personal data definition. CC ID 04696 Privacy protection for information and data Preventive
    Include electronic signatures in the personal data definition. CC ID 04697 Privacy protection for information and data Preventive
    Include an individual's payment card information in the personal data definition. CC ID 04751 Privacy protection for information and data Preventive
    Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 Privacy protection for information and data Preventive
    Include an individual's payment card service code in the personal data definition. CC ID 04753 Privacy protection for information and data Preventive
    Include an individual's payment card expiration date in the personal data definition. CC ID 04755 Privacy protection for information and data Preventive
    Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 Privacy protection for information and data Preventive
    Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 Privacy protection for information and data Preventive
    Include an individual's medical history in the personal data definition. CC ID 04701 Privacy protection for information and data Preventive
    Include an individual's medical treatment in the personal data definition. CC ID 04702 Privacy protection for information and data Preventive
    Include an individual's medical diagnosis in the personal data definition. CC ID 04703 Privacy protection for information and data Preventive
    Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 Privacy protection for information and data Preventive
    Include an individual's medical record numbers in the personal data definition. CC ID 07121 Privacy protection for information and data Preventive
    Include an individual's health insurance information in the personal data definition. CC ID 04705 Privacy protection for information and data Preventive
    Include an individual's health insurance policy number in the personal data definition. CC ID 04706 Privacy protection for information and data Preventive
    Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 Privacy protection for information and data Preventive
    Include an individual's education information in the personal data definition. CC ID 04714 Privacy protection for information and data Preventive
    Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 Privacy protection for information and data Preventive
    Include an individual's employment information in the personal data definition. CC ID 04715 Privacy protection for information and data Preventive
    Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 Privacy protection for information and data Preventive
    Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 Privacy protection for information and data Preventive
    Include an individual's employment history in the personal data definition. CC ID 04716 Privacy protection for information and data Preventive
    Include an individual's place of employment in the personal data definition. CC ID 04765 Privacy protection for information and data Preventive
    Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 Privacy protection for information and data Preventive
    Include an individual's property information in the personal data definition. CC ID 04780 Privacy protection for information and data Preventive
    Include an individual's property title in the personal data definition. CC ID 04781 Privacy protection for information and data Preventive
    Include an individual's vehicle registration in the personal data definition. CC ID 04782 Privacy protection for information and data Preventive
    Include hardware asset identification information in the personal data definition. CC ID 07123 Privacy protection for information and data Preventive
    Include MAC addresses in the personal data definition. CC ID 04778 Privacy protection for information and data Preventive
    Include Internet Protocol addresses in the personal data definition. CC ID 04777 Privacy protection for information and data Preventive
    Include asset serial numbers in the personal data definition. CC ID 07124 Privacy protection for information and data Preventive
    Include Uniform Resource Locators in the personal data definition. CC ID 07125 Privacy protection for information and data Preventive
    Define specially restricted data. CC ID 00037 Privacy protection for information and data Preventive
    Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 Privacy protection for information and data Preventive
    Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 Privacy protection for information and data Preventive
    Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 Privacy protection for information and data Preventive
    Implement a nondiscrimination principle. CC ID 00081 Privacy protection for information and data Preventive
    Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 Privacy protection for information and data Preventive
    Preserve each individual's right to human dignity. CC ID 00082 Privacy protection for information and data Preventive
    Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers with the individual's consent. CC ID 00059 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 Privacy protection for information and data Preventive
    Manage health data collection. CC ID 00050 Privacy protection for information and data Preventive
    Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 Privacy protection for information and data Preventive
    Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 Privacy protection for information and data Preventive
    Collect Individually Identifiable Health Information for research. CC ID 00054 Privacy protection for information and data Preventive
    Remove personal data before disclosing health data. CC ID 00055 Privacy protection for information and data Preventive
    Give special attention to collecting children's data. CC ID 00038 Privacy protection for information and data Preventive
    Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 Privacy protection for information and data Preventive
    Collect personal data directly from the data subject. CC ID 00011 Privacy protection for information and data Preventive
    Create and manage user account aliases to maintain pseudonymity. CC ID 04549 Privacy protection for information and data Preventive
    Provide unlinkability for users and resources. CC ID 04550 Privacy protection for information and data Preventive
    Collect restricted data in a fair and lawful manner. CC ID 00010 Privacy protection for information and data Preventive
    Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 Privacy protection for information and data Preventive
    Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 Privacy protection for information and data Preventive
    Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to make a disclosure. CC ID 13550 Privacy protection for information and data Preventive
    Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 Privacy protection for information and data Preventive
    Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 Privacy protection for information and data Preventive
    Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 Privacy protection for information and data Preventive
    Collect personal data absent consent for handling insurance claims. CC ID 13543 Privacy protection for information and data Preventive
    Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 Privacy protection for information and data Preventive
    Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 Privacy protection for information and data Preventive
    Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 Privacy protection for information and data Preventive
    Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 Privacy protection for information and data Preventive
    Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 Privacy protection for information and data Preventive
    Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 Privacy protection for information and data Preventive
    Collect restricted data absent consent from publicly available information. CC ID 00019 Privacy protection for information and data Preventive
    Collect restricted data absent consent when needed by law. CC ID 00020 Privacy protection for information and data Preventive
    Collect personal data absent consent to create a credit report. CC ID 15287 Privacy protection for information and data Preventive
    Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 Privacy protection for information and data Preventive
    Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 Privacy protection for information and data Preventive
    Collect the minimum amount of restricted data necessary. CC ID 00078 Privacy protection for information and data Preventive
    Collect restricted data in a proper information framework. CC ID 00009 Privacy protection for information and data Preventive
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 Privacy protection for information and data Preventive
    Collect restricted data when required by law. CC ID 00031 Privacy protection for information and data Preventive
    Collect restricted data to prevent life-threatening emergencies. CC ID 00032 Privacy protection for information and data Preventive
    Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 Privacy protection for information and data Preventive
    Collect restricted data for legal purposes. CC ID 00036 Privacy protection for information and data Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Privacy protection for information and data Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Privacy protection for information and data Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Preventive
    Limit data leakage. CC ID 00356 Privacy protection for information and data Preventive
    Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 Privacy protection for information and data Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Privacy protection for information and data Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Privacy protection for information and data Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Privacy protection for information and data Detective
  • Establish Roles
    67
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Leadership and high level objectives Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Leadership and high level objectives Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Leadership and high level objectives Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765
    [The governing body should direct and oversee the organization to ensure accountability is practised throughout (see 6.4). § 6.5.3.3 ¶ 2
    {be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2]
    Leadership and high level objectives Detective
    Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 Leadership and high level objectives Preventive
    Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 Leadership and high level objectives Preventive
    Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 Leadership and high level objectives Preventive
    Involve the Board of Directors or senior management in Information Governance. CC ID 00609 Leadership and high level objectives Preventive
    Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 Leadership and high level objectives Preventive
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: carefully scrutinize the reporting lines of those who provide assurance internally, to safeguard their independence and authority (see NOTE 1); § 6.4.3.3 ¶ 1 d)]
    Audits and risk management Preventive
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679
    [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. § 6.4.3.3 ¶ 1 g)]
    Audits and risk management Preventive
    Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 Audits and risk management Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Audits and risk management Preventive
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Audits and risk management Preventive
    Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 Audits and risk management Preventive
    Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 Audits and risk management Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Audits and risk management Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [The governing body should: assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; § 4.3.2 ¶ 2 d)
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: § 6.4.3.3 ¶ 1]
    Audits and risk management Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Audits and risk management Preventive
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456
    [The governing body should ensure that the organizational risk framework, in respect to the management of risk: defines the responsibilities of the governing body and associated delegation across the organization; § 6.9.3.2 ¶ 2 e)]
    Audits and risk management Preventive
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Technical security Preventive
    Include restoration procedures in the continuity plan. CC ID 01169
    [The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: actively contribute to conserving and restoring these systems. § 6.11.3.1 ¶ 1 Bullet 2]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806
    [{be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2]
    Human Resources management Preventive
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 Human Resources management Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
    [The governing body can delegate but still remains accountable for what it has delegated and always remains responsible for the organization as a whole. § 4.2.2 ¶ 1
    The governing body should establish governance policies and ensure that these: clarify the manner in which the governing body itself is to operate and govern the organization; § 6.3.3.1.2 ¶ 1 f)
    {individual}{hold accountable} The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. § 6.5.3.1 ¶ 1
    Governance is exercised throughout the organization by governing groups, including: the governing body; § 4.2.1 ¶ 1 Bullet 2
    At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in this document. § 4.3.1 ¶ 3
    {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. Table 1 Column 4 Row 6
    The governing body should engage with strategic planning by: establishing clarity about its role in the strategic planning process; § 6.3.3.2.1 ¶ 1 a)
    The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. § 6.1.3.4 ¶ 1
    {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. § 6.5.1 ¶ 1
    Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)]
    Human Resources management Preventive
    Assign senior management to the role of authorizing official. CC ID 14238 Human Resources management Preventive
    Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 Human Resources management Preventive
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 Human Resources management Preventive
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810 Human Resources management Preventive
    Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 Human Resources management Preventive
    Define and assign the technology security leader's roles and responsibilities. CC ID 01897 Human Resources management Preventive
    Define and assign the property management leader's roles and responsibilities. CC ID 00669 Human Resources management Preventive
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 Human Resources management Preventive
    Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 Human Resources management Preventive
    Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 Human Resources management Preventive
    Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 Human Resources management Preventive
    Assign a contact person to all business units. CC ID 07144 Human Resources management Preventive
    Assign roles and responsibilities for physical security, as necessary. CC ID 13113 Human Resources management Preventive
    Identify and define all critical roles. CC ID 00777 Human Resources management Preventive
    Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 Human Resources management Preventive
    Assign the role of security management to applicable controls. CC ID 06444 Human Resources management Preventive
    Define and assign the data controller's roles and responsibilities. CC ID 00471 Human Resources management Preventive
    Assign the role of data controller to applicable controls. CC ID 00354 Human Resources management Preventive
    Assign the role of data controller to additional personnel, as necessary. CC ID 00473 Human Resources management Preventive
    Assign the role of Information Technology operations to applicable controls. CC ID 00682 Human Resources management Preventive
    Assign the role of logical access control to applicable controls. CC ID 00772 Human Resources management Preventive
    Assign the role of asset physical security to applicable controls. CC ID 00770 Human Resources management Preventive
    Assign the role of data custodian to applicable controls. CC ID 04789 Human Resources management Preventive
    Assign the role of the Quality Management committee to applicable controls. CC ID 00769 Human Resources management Preventive
    Assign interested personnel to the Quality Management committee. CC ID 07193 Human Resources management Preventive
    Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 Human Resources management Preventive
    Assign the role of fire protection management to applicable controls. CC ID 04891 Human Resources management Preventive
    Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 Human Resources management Preventive
    Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 Human Resources management Preventive
    Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 Human Resources management Preventive
    Assign security clearance procedures to qualified personnel. CC ID 06812 Human Resources management Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Human Resources management Preventive
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764
    [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: authority matches the level of responsibility, which includes the autonomy to make and fulfil plans to achieve the agreed outcomes within the established parameters; § 4.2.2 ¶ 2 c)
    Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: the authority matches the level of responsibility associated with the decisions being made; § 6.8.3.2.2 ¶ 1 a)
    Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. § 4.2.2 ¶ 5
    Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: § 6.8.3.2.2 ¶ 1
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Human Resources management Preventive
    Document and communicate role descriptions to all applicable personnel. CC ID 00776 Human Resources management Detective
    Rotate duties amongst the critical roles and positions. CC ID 06554 Human Resources management Preventive
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Human Resources management Preventive
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Operational management Preventive
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: § 6.8.3.2.2 ¶ 1]
    Operational management Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Operational management Preventive
    Classify assets according to the Asset Classification Policy. CC ID 07186 Operational management Preventive
    Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 Operational management Preventive
    Establish, implement, and maintain data processing integrity controls. CC ID 00923
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)]
    Records management Preventive
  • Establish/Maintain Documentation
    1049
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain communication protocols. CC ID 12245
    [The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: an open and transparent communication culture within the organization is created and maintained to help bridge the gap between diverse stakeholder groups and varying perspectives based on, for example, gender, age, belief systems or cognitive abilities; § 6.6.3 ¶ 3 e)
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5]
    Leadership and high level objectives Preventive
    Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419
    [{be within}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: are transparent but also within the limits of confidentiality; § 6.5.3.2 ¶ 1 f)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Leadership and high level objectives Preventive
    Include external requirements in the organization's communication protocol. CC ID 12418 Leadership and high level objectives Preventive
    Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417
    [When defining the organizational values, the governing body should ensure that: all relevant stakeholders are engaged; § 6.1.3.3 ¶ 1 a)
    For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Improvements should be applied as the result of feedback from reporting, disclosure and dialogue activities. § 6.5.3.2 ¶ 3
    The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. § 6.6.1 ¶ 1
    The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    {stakeholder engagement process}To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); § 6.10.3 ¶ 1 a)
    To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when establishing and reviewing governance policies; § 6.10.3 ¶ 1 e)
    The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. Table 1 Column 4 Row 7
    {be responsible}{be accurate}The governing body should ensure that the organizational risk framework, in respect to the management of risk: mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). § 6.9.3.2 ¶ 2 h)
    The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: relevant stakeholders are engaged in achieving the organizational purpose via its organizational strategy; § 6.6.3 ¶ 3 a)
    To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; § 6.10.3 ¶ 1 d)
    {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Leadership and high level objectives Preventive
    Document the findings from surveys. CC ID 16309 Leadership and high level objectives Preventive
    Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 Leadership and high level objectives Preventive
    Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 Leadership and high level objectives Preventive
    Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 Leadership and high level objectives Preventive
    Define the thresholds for escalation in the internal reporting program. CC ID 14332 Leadership and high level objectives Preventive
    Define the thresholds for reporting in the internal reporting program. CC ID 14331 Leadership and high level objectives Preventive
    Define the thresholds for reporting in the external reporting program. CC ID 15679 Leadership and high level objectives Preventive
    Include information about the organizational culture in the external reporting program. CC ID 15610
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the organizational culture, including the organizational behaviour and perceptions of the organization's behaviour provided by relevant stakeholders; § 6.5.3.2 ¶ 1 c) 5)]
    Leadership and high level objectives Preventive
    Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 Leadership and high level objectives Preventive
    Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 Leadership and high level objectives Preventive
    Include the information that was omitted in the confidential treatment application. CC ID 16593 Leadership and high level objectives Preventive
    Develop instructions for setting organizational objectives and strategies. CC ID 12931 Leadership and high level objectives Preventive
    Establish, implement, and maintain organizational objectives. CC ID 09959
    [Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to follow, including the parameters within which the organization is to do so. These expectations should be set mindfully and intentionally, considering the context within which the organization operates. § 6.7.3.1 ¶ 1
    Within the organization: The organization should fulfil the expectations set by the governing body. § 6.7.3.2 ¶ 1 b)
    {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1
    The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. § 6.3.3.1.1 ¶ 1
    Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain a value generation model. CC ID 15591
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: value generation model and organizational strategy; § 5 ¶ 5 Bullet 5
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the value generation model; § 6.9.3.2 ¶ 2 d) 5)
    The governing body should ensure that an overarching value generation model is determined for the organization and is appropriately communicated. § 6.2.3.1 ¶ 1
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a)
    Therefore, the governing body should: ensure that interactions and dependencies within the organization's value generation model are articulated in an integrated manner; § 6.11.3.1 ¶ 2 a)
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3
    The governing body should ensure that the organization's value generation model (see 6.2): describes how the organization's key structures, processes, relationships, information, decision-making, reporting and other aspects inter-relate and are used to generate value over time. § 6.11.3.2 ¶ 1 b)]
    Leadership and high level objectives Preventive
    Include value distribution in the value generation model. CC ID 15603
    [{procedure}This value generation model should clarify: how the value generated is to be retained and distributed (sustain). § 6.2.3.1 ¶ 2 Bullet 4
    {be viable} The governing body should ensure that value is retained and distributed in a manner that ensures that the organization is agile, viable over time and achieves its value generation objectives. § 6.2.3.5 ¶ 1
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Leadership and high level objectives Preventive
    Include value retention in the value generation model. CC ID 15600
    [{procedure}This value generation model should clarify: how the value generated is to be retained and distributed (sustain). § 6.2.3.1 ¶ 2 Bullet 4
    {be viable} The governing body should ensure that value is retained and distributed in a manner that ensures that the organization is agile, viable over time and achieves its value generation objectives. § 6.2.3.5 ¶ 1
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Leadership and high level objectives Preventive
    Include value generation procedures in the value generation model. CC ID 15599
    [{procedure}This value generation model should clarify: how the organization should generate that value (create); § 6.2.3.1 ¶ 2 Bullet 2
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    {procedure}This value generation model should clarify: how the generation of value will be assured (deliver); § 6.2.3.1 ¶ 2 Bullet 3]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain value generation objectives. CC ID 15583
    [Effective performance — The organization: generates value for stakeholders; § 5 ¶ 2 a) 3)
    {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1
    Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: determining the organization's approach to value generation; § 4.1 ¶ 3 b)
    {social context}{economic context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social, and economic context within which it operates. Table 1 Column 4 Row 3
    {social context}{economic context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. § 6.2.1 ¶ 1
    This value generation model should clarify: what value the organization is intending to generate (define); § 6.2.3.1 ¶ 2 Bullet 1
    {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: § 6.2.3.4 ¶ 1
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the defined value generation objectives; § 6.3.3.1.1 ¶ 2 d)
    The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so that the generation of value in the present context is balanced with the innovation required to generate value in the future. § 6.3.3.2.2 ¶ 1
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: assurance is obtained on the realization of the value generation objectives. § 6.2.3.4 ¶ 1 c)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain social responsibility objectives. CC ID 15611
    [The governing body should ensure that the organization considers undertaking specific measures to contribute to the wellbeing of society. Philanthropy can have a positive impact on society. However, it should not be used by an organization as a substitute for integrating social responsibility into the organization (see ISO 26000:2010, 3.3.4). § 6.10.3 ¶ 3
    The governing body should ensure that the organization considers undertaking specific measures to contribute to the wellbeing of society. Philanthropy can have a positive impact on society. However, it should not be used by an organization as a substitute for integrating social responsibility into the organization (see ISO 26000:2010, 3.3.4). § 6.10.3 ¶ 3]
    Leadership and high level objectives Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783
    [{be dynamic}{be sensitive}The governing body should ensure that: the organizational purpose remains dynamic and sensitive to the changing context within which the organization operates. § 6.1.3.2 ¶ 2 Bullet 4
    When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: organizational purpose and organizational values; § 5 ¶ 5 Bullet 1
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the organizational purpose; § 6.9.3.2 ¶ 2 d) 3)
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the organizational values; § 6.9.3.2 ¶ 2 d) 4)
    Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: setting and committing to the organizational purpose and organizational values; § 4.1 ¶ 3 a)
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    Effective performance — The organization: is true to its purpose; § 5 ¶ 2 a) 1)]
    Leadership and high level objectives Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Leadership and high level objectives Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838
    [{member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1
    To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the organizational purpose expresses the organization's approach to stakeholders; § 6.10.3 ¶ 1 c)
    The governing body should ensure that: the essence of the organizational purpose is documented in a summary statement to promote effective communication and to assess and determine organization-wide actions and success; § 6.1.3.2 ¶ 2 Bullet 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; § 6.1.3.2 ¶ 1 a)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a)
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Leadership and high level objectives Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Leadership and high level objectives Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807
    [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b)
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Leadership and high level objectives Preventive
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590
    [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Leadership and high level objectives Preventive
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605
    [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Leadership and high level objectives Preventive
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586
    [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Leadership and high level objectives Preventive
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the organization's performance in fulfilling the organizational purpose; § 6.5.3.2 ¶ 1 c) 1)
    To ensure that the organization is acting in a socially responsible way, the governing body should: report the organization's social responsibility objectives clearly and transparently so that stakeholders can understand these objectives, how they are being met and what performance is being achieved against them, as well as provide the necessary evidence to support such claims; § 6.10.3 ¶ 1 h)
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the integrated view of the relationships between the organization's value generation model and the systems on which this depends (and which the organization also affects through its value generation); § 6.11.3.4 ¶ 2 a)
    The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. § 6.1.3.4 ¶ 1
    The governing body should ensure that the organization's value generation model (see 6.2): describes how the organization's key structures, processes, relationships, information, decision-making, reporting and other aspects inter-relate and are used to generate value over time. § 6.11.3.2 ¶ 1 b)
    Be open about decisions and activities that affect the natural environment, society and the economy, and be willing to communicate these in a clear, accurate, timely, honest and complete manner. Table 2 Column 2 Row 4 Bullet 1]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain data governance and management practices. CC ID 14998
    [The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. § 6.8.1 ¶ 1
    The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1
    The recognition that data can be a strategic asset (or liability) means that the governing body should: acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; § 6.8.3.3 ¶ 1 c)
    The recognition that data can be a strategic asset (or liability) means that the governing body should: understand the use, and potential use, of data by the organization and others (e.g. suppliers, customers, regulators and other relevant stakeholders as well as competitors and those who can misuse the data); § 6.8.3.3 ¶ 1 b)
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: § 6.8.3.4 ¶ 2
    The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. Table 1 Column 4 Row 9
    {be responsible}{be ethical} The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. § 6.8.3.1 ¶ 2
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); § 6.4.3.2 ¶ 1 h)
    The recognition that data can be a strategic asset (or liability) means that the governing body should: ensure that the organization establishes a formal approach to its management of data and, where necessary, assurance is provided (see 6.4.3); § 6.8.3.3 ¶ 1 a)]
    Leadership and high level objectives Preventive
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Leadership and high level objectives Preventive
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Leadership and high level objectives Preventive
    Include bias for data sets in the data governance and management practices. CC ID 15085 Leadership and high level objectives Preventive
    Include a data strategy in the data governance and management practices. CC ID 15304 Leadership and high level objectives Preventive
    Include data monitoring in the data governance and management practices. CC ID 15303
    [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the adoption of a system to ensure the rights, obligations and constraints of data sets are understood and tracked, e.g. privacy and intellectual property right obligations; § 6.8.3.4 ¶ 2 a)]
    Leadership and high level objectives Preventive
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the adoption of a system to ensure the rights, obligations and constraints of data sets are understood and tracked, e.g. privacy and intellectual property right obligations; § 6.8.3.4 ¶ 2 a)]
    Leadership and high level objectives Preventive
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Leadership and high level objectives Preventive
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Leadership and high level objectives Preventive
    Include data preparations for data sets in the data governance and management practices. CC ID 15081
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Leadership and high level objectives Preventive
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Leadership and high level objectives Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Leadership and high level objectives Preventive
    Establish, implement, and maintain a data classification scheme. CC ID 11628 Leadership and high level objectives Preventive
    Approve the data classification scheme. CC ID 13858 Leadership and high level objectives Detective
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Leadership and high level objectives Preventive
    Refrain from including metadata in the data dictionary. CC ID 13529 Leadership and high level objectives Preventive
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Leadership and high level objectives Preventive
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Leadership and high level objectives Preventive
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Leadership and high level objectives Preventive
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Leadership and high level objectives Preventive
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Leadership and high level objectives Preventive
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Leadership and high level objectives Preventive
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Leadership and high level objectives Preventive
    Include the precision of the measurement in the data dictionary. CC ID 13520 Leadership and high level objectives Preventive
    Include the data source in the data dictionary. CC ID 13519 Leadership and high level objectives Preventive
    Include the nature of each element in the data dictionary. CC ID 13518 Leadership and high level objectives Preventive
    Include the population of events or instances in the data dictionary. CC ID 13517 Leadership and high level objectives Preventive
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Leadership and high level objectives Preventive
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603
    [Responsible stewardship — The organization: ensures its contribution to sustainable development; § 5 ¶ 2 b) 4)
    {be viable} The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. Table 1 Column 4 Row 12
    {be viable} The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. § 6.11.1 ¶ 1
    The aim of governance, and the duty of the governing body, is to create the conditions for, and to enable, the organization to perform over time, such that it fulfils its organizational purpose and generates value as intended. An organization can be said to be contributing to sustainable development, and to be sustainable, when it generates value in a manner that meets the needs of the present without compromising the ability of future generations to meet their own needs. By aligning an organization's governance with sustainable development, e.g. via the UN SDGs, governing bodies help create the conditions for an organization's future success. As a result, governing bodies should ensure that sustainable development and sustainability are fundamental considerations when governing and applying the governance principles in this document. § 4.2.4 ¶ 1]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain an organizational structure. CC ID 16310 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Leadership and high level objectives Preventive
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Leadership and high level objectives Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Leadership and high level objectives Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Leadership and high level objectives Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Leadership and high level objectives Preventive
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Leadership and high level objectives Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management standard. CC ID 01006 Leadership and high level objectives Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management program. CC ID 07201 Leadership and high level objectives Preventive
    Include quality objectives in the Quality Management program. CC ID 13693 Leadership and high level objectives Preventive
    Include records management in the quality management system. CC ID 15055 Leadership and high level objectives Preventive
    Include risk management in the quality management system. CC ID 15054 Leadership and high level objectives Preventive
    Include data management procedures in the quality management system. CC ID 15052 Leadership and high level objectives Preventive
    Include a post-market monitoring system in the quality management system. CC ID 15027 Leadership and high level objectives Preventive
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Leadership and high level objectives Preventive
    Include resource management in the quality management system. CC ID 15026
    [The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: § 6.2.3.1 ¶ 4
    The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: recognizes and optimizes the interaction between the required resources. § 6.2.3.3 ¶ 1 c)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)]
    Leadership and high level objectives Preventive
    Include communication protocols in the quality management system. CC ID 15025 Leadership and high level objectives Preventive
    Include incident reporting procedures in the quality management system. CC ID 15023 Leadership and high level objectives Preventive
    Include technical specifications in the quality management system. CC ID 15021 Leadership and high level objectives Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 Leadership and high level objectives Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Leadership and high level objectives Preventive
    Include program testing standards in the Quality Management program. CC ID 01017 Leadership and high level objectives Preventive
    Include system testing standards in the Quality Management program. CC ID 01018 Leadership and high level objectives Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Leadership and high level objectives Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Leadership and high level objectives Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Leadership and high level objectives Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Leadership and high level objectives Detective
    Establish and maintain an Authority Document list. CC ID 07113 Leadership and high level objectives Preventive
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623
    [Ethical and effective leadership should be demonstrated in three areas: the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. § 6.7.3.1 ¶ 4 c)
    {human right}The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: human and labour rights in all countries of operation are respected; § 6.6.3 ¶ 3 d)
    Within the organization's external context: Where the organization has set contextual expectations, such as commitments to stakeholders and the natural environment, the organization should fulfil these expectations as set. § 6.7.3.2 ¶ 1 c)
    {external system}The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the inter-relationships between the organization and these systems; § 6.11.3.3 ¶ 1 b)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 Leadership and high level objectives Preventive
    Approve all compliance documents. CC ID 06286
    [{individual}The governing body should engage with strategic planning by: reviewing, assessing and approving the plans developed by those to whom they have delegated; § 6.3.3.2.1 ¶ 1 c)]
    Leadership and high level objectives Preventive
    Align the Authority Document list with external requirements. CC ID 06288
    [The governing body should ensure that: the organizational purpose is available to all stakeholders and reflected in the constituting documents where possible; § 6.1.3.2 ¶ 2 Bullet 2]
    Leadership and high level objectives Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Leadership and high level objectives Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Leadership and high level objectives Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Leadership and high level objectives Preventive
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Leadership and high level objectives Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Leadership and high level objectives Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Leadership and high level objectives Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Leadership and high level objectives Preventive
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 Leadership and high level objectives Detective
    Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 Leadership and high level objectives Preventive
    Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 Leadership and high level objectives Detective
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Leadership and high level objectives Preventive
    Establish, implement, and maintain a strategic plan. CC ID 12784
    [Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: directing and engaging with strategy to generate value; § 4.1 ¶ 3 c)
    The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. Table 1 Column 4 Row 4
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. § 6.3.1 ¶ 1
    {individual}The governing body should engage with strategic planning by: reviewing, assessing and approving the plans developed by those to whom they have delegated; § 6.3.3.2.1 ¶ 1 c)
    The governing body should engage with strategic planning by: overseeing (see 6.4) the implementation of these plans and ensuring that they meet the agreed strategic outcomes. § 6.3.3.2.1 ¶ 1 d)
    The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so that the generation of value in the present context is balanced with the innovation required to generate value in the future. § 6.3.3.2.2 ¶ 1
    The governing body should steer the organizational strategy by means of: § 6.3.3.2.2 ¶ 2
    Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4
    The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)]
    Leadership and high level objectives Preventive
    Include acting with integrity in the strategic plan. CC ID 12870
    [At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in this document. § 4.3.1 ¶ 3]
    Leadership and high level objectives Preventive
    Include the outsource partners in the strategic plan, as necessary. CC ID 13960 Leadership and high level objectives Preventive
    Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 Leadership and high level objectives Preventive
    Establish, implement, and maintain a planning policy. CC ID 14673 Leadership and high level objectives Preventive
    Establish, implement, and maintain planning procedures. CC ID 14698 Leadership and high level objectives Preventive
    Include compliance requirements in the planning policy. CC ID 14688 Leadership and high level objectives Preventive
    Include coordination amongst entities in the planning policy. CC ID 14687 Leadership and high level objectives Preventive
    Include management commitment in the planning policy. CC ID 14686 Leadership and high level objectives Preventive
    Include roles and responsibilities in the planning policy. CC ID 14685 Leadership and high level objectives Preventive
    Include the scope in the planning policy. CC ID 14684 Leadership and high level objectives Preventive
    Include the purpose in the planning policy. CC ID 14683 Leadership and high level objectives Preventive
    Establish, implement, and maintain a security planning policy. CC ID 14027 Leadership and high level objectives Preventive
    Include compliance requirements in the security planning policy. CC ID 14131 Leadership and high level objectives Preventive
    Include coordination amongst entities in the security planning policy. CC ID 14130 Leadership and high level objectives Preventive
    Include management commitment in the security planning policy. CC ID 14129 Leadership and high level objectives Preventive
    Include roles and responsibilities in the security planning policy. CC ID 14128 Leadership and high level objectives Preventive
    Include the scope in the security planning policy. CC ID 14127 Leadership and high level objectives Preventive
    Include the purpose in the security planning policy. CC ID 14126 Leadership and high level objectives Preventive
    Establish, implement, and maintain security planning procedures. CC ID 14060 Leadership and high level objectives Preventive
    Establish, implement, and maintain a decision management strategy. CC ID 06913
    [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: § 6.8.3.2.1 ¶ 1
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b)
    The governing body should ensure that decisions are transparent and aligned with broader societal expectations. Table 1 Column 4 Row 11
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: competence and probity in the manner in which it makes decisions. § 5 ¶ 2 c) 5)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: maintain an appropriate balance between guiding discussions to a decision and ensuring that every member has the opportunity to express their independent assessment; § 6.8.3.2.1 ¶ 1 a)
    Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. Table 2 Column 2 Row 3 Bullet 2
    The governing body should ensure that decisions are transparent and aligned with broader societal expectations. § 6.10.1 ¶ 1
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    The governing body should steer the organizational strategy by means of: reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; § 6.3.3.2.2 ¶ 2 e)
    The governing body should steer the organizational strategy by means of: decision-making, specifically, the strategic deployment of resources. § 6.3.3.2.2 ¶ 2 j)
    A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: reconciling the perspectives, considering how each position can support the other; § 6.7.3.4 ¶ 2 d)
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1
    Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4
    The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)]
    Leadership and high level objectives Preventive
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Leadership and high level objectives Preventive
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Leadership and high level objectives Preventive
    Include criteria for compliance in the decision-making criteria. CC ID 12951 Leadership and high level objectives Preventive
    Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 Leadership and high level objectives Preventive
    Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h)]
    Leadership and high level objectives Preventive
    Include criteria for setting priorities in the decision-making criteria. CC ID 12938
    [A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: identifying the advantages and disadvantages of each; § 6.7.3.4 ¶ 2 c)]
    Leadership and high level objectives Preventive
    Identify and document the events that initiate the decision management strategy. CC ID 06914
    [A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: recognizing and identifying the dilemma; § 6.7.3.4 ¶ 2 a)]
    Leadership and high level objectives Detective
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b)
    When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: expected outcomes are negotiated, specified and agreed; § 4.2.2 ¶ 2 a)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain an information technology process framework. CC ID 13648 Leadership and high level objectives Preventive
    Include maturity models in the Information Technology process framework. CC ID 13652 Leadership and high level objectives Preventive
    Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 Leadership and high level objectives Preventive
    Include Information Technology process structures in the Information Technology process framework. CC ID 13650 Leadership and high level objectives Preventive
    Establish, implement, and maintain a tactical plan. CC ID 12785
    [The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. § 6.3.3.1.1 ¶ 1]
    Leadership and high level objectives Preventive
    Include acting with integrity in the tactical plan. CC ID 12871 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: § 6.8.3.4 ¶ 2
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; § 6.8.3.4 ¶ 2 d)]
    Leadership and high level objectives Preventive
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053
    [The recognition that data can be a strategic asset (or liability) means that the governing body should: acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; § 6.8.3.3 ¶ 1 c)
    The recognition that data can be a strategic asset (or liability) means that the governing body should: ensure that the information requirements of the organization are sufficiently supported by its current and future technology capabilities; § 6.8.3.3 ¶ 1 d)]
    Leadership and high level objectives Preventive
    Include the transparency goals in the Information Governance Plan. CC ID 10056 Leadership and high level objectives Preventive
    Include the information integrity goals in the Information Governance Plan. CC ID 10057
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: give confidence in the integrity of the information used, e.g. describing assurance processes applied (see 6.4); § 6.5.3.2 ¶ 1 e)]
    Leadership and high level objectives Preventive
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Leadership and high level objectives Preventive
    Align business continuity objectives with the business continuity policy. CC ID 12408 Leadership and high level objectives Preventive
    Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 Leadership and high level objectives Preventive
    Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 Leadership and high level objectives Preventive
    Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 Leadership and high level objectives Preventive
    Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 Leadership and high level objectives Preventive
    Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 Leadership and high level objectives Preventive
    Document the business case and return on investment in each Information Technology project plan. CC ID 06846 Leadership and high level objectives Preventive
    Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 Leadership and high level objectives Preventive
    Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 Leadership and high level objectives Preventive
    Include milestones for each project phase in the Information Technology project plan. CC ID 12621 Leadership and high level objectives Preventive
    Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 Leadership and high level objectives Corrective
    Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 Leadership and high level objectives Preventive
    Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 Leadership and high level objectives Preventive
    Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 Leadership and high level objectives Preventive
    Include a search plan in the counterterror protective security plan. CC ID 06865 Leadership and high level objectives Preventive
    Include an evacuation plan in the counterterror protective security plan. CC ID 06940 Leadership and high level objectives Preventive
    Include a continuity plan in the counterterror protective security plan. CC ID 07031 Leadership and high level objectives Preventive
    Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 Leadership and high level objectives Preventive
    Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 Leadership and high level objectives Preventive
    Establish, implement, and maintain a financial management program. CC ID 13228
    [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b)
    {be financially sound}The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's financial results and financial resources, ensuring that the organization remains financially sound; § 6.4.3.2 ¶ 1 f)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain funds transfer procedures. CC ID 16754 Leadership and high level objectives Preventive
    Include communication protocols in the financial management program. CC ID 16763 Leadership and high level objectives Preventive
    Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 Leadership and high level objectives Preventive
    Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 Leadership and high level objectives Preventive
    Establish, implement, and maintain financial resource management procedures. CC ID 16642 Leadership and high level objectives Preventive
    Document the rationale for the amount of financial resources being held. CC ID 16688 Leadership and high level objectives Preventive
    Establish, implement, and maintain collateral procedures. CC ID 16653 Leadership and high level objectives Preventive
    Include the use of appropriate models in the collateral procedures. CC ID 16687 Leadership and high level objectives Preventive
    Define the collateral requirements in the collateral procedures. CC ID 16686 Leadership and high level objectives Preventive
    Identify and document the financial resources available for use. CC ID 16643 Leadership and high level objectives Preventive
    Establish, implement, and maintain credit loss procedures. CC ID 16683 Leadership and high level objectives Preventive
    Include the allocation of credit losses in the credit loss procedures. CC ID 16684 Leadership and high level objectives Preventive
    Include fairness and equitability standards in the securities trading program. CC ID 16690 Leadership and high level objectives Preventive
    Include roles and responsibilities in the securities trading program. CC ID 16689 Leadership and high level objectives Preventive
    Establish, implement, and maintain a capital restoration plan. CC ID 16613 Leadership and high level objectives Preventive
    Include performance guarantees in the capital restoration plan. CC ID 16616 Leadership and high level objectives Preventive
    Include corrective actions taken in the capital restoration plan. CC ID 16612 Leadership and high level objectives Preventive
    Include required information in the capital restoration plan. CC ID 16609 Leadership and high level objectives Preventive
    Establish, implement, and maintain valuation procedures. CC ID 16634 Leadership and high level objectives Preventive
    Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 Leadership and high level objectives Preventive
    Establish, implement, and maintain lending policies. CC ID 16608 Leadership and high level objectives Preventive
    Include the requirements for risk assessments in the lending policy. CC ID 16730 Leadership and high level objectives Preventive
    Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 Leadership and high level objectives Preventive
    Include the requirements for feasibility studies in the lending policy. CC ID 16726 Leadership and high level objectives Preventive
    Include pricing structures in the lending policy. CC ID 16724 Leadership and high level objectives Preventive
    Include monitoring requirements in the lending policy. CC ID 16710 Leadership and high level objectives Preventive
    Include loan origination procedures in the lending policy. CC ID 16709 Leadership and high level objectives Preventive
    Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 Leadership and high level objectives Preventive
    Include loan requirements in the lending policy. CC ID 16706 Leadership and high level objectives Preventive
    Include appraisals and evaluations in the lending policy. CC ID 16705 Leadership and high level objectives Preventive
    Include terms and conditions in the lending policy. CC ID 16695 Leadership and high level objectives Preventive
    Include the scope and distribution of loans in the lending policy. CC ID 16693 Leadership and high level objectives Preventive
    Include geographic areas in the lending policy. CC ID 16691 Leadership and high level objectives Preventive
    Include underwriting guidelines in the lending policy. CC ID 16619 Leadership and high level objectives Preventive
    Include credit review in the underwriting guidelines. CC ID 16765 Leadership and high level objectives Preventive
    Include loan-to-value ratio limits in the lending policy. CC ID 16618 Leadership and high level objectives Preventive
    Include documentation requirements in the lending policy. CC ID 16617 Leadership and high level objectives Preventive
    Include the purpose of the loan in the loan documentation. CC ID 16747 Leadership and high level objectives Preventive
    Include the source of repayment in the loan documentation. CC ID 16746 Leadership and high level objectives Preventive
    Include approval requirements in the lending policy. CC ID 16615 Leadership and high level objectives Preventive
    Include reporting requirements in the lending policy. CC ID 16614 Leadership and high level objectives Preventive
    Include loan portfolio diversification standards in the lending policy. CC ID 16611 Leadership and high level objectives Preventive
    Include loan administration procedures in the lending policy. CC ID 16610 Leadership and high level objectives Preventive
    Include loan participation agreements in the loan administration procedures. CC ID 16745 Leadership and high level objectives Preventive
    Include termination procedures in the loan participation agreement. CC ID 16753 Leadership and high level objectives Preventive
    Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 Leadership and high level objectives Preventive
    Include servicing agreements in the loan administration procedures. CC ID 16744 Leadership and high level objectives Preventive
    Include claims processing in the loan administration procedures. CC ID 16742 Leadership and high level objectives Preventive
    Include forbearance management in the loan administration procedures. CC ID 16741 Leadership and high level objectives Preventive
    Include foreclosure management in the loan administration procedures. CC ID 16740 Leadership and high level objectives Preventive
    Include delinquency management in the loan administration procedures. CC ID 16739 Leadership and high level objectives Preventive
    Include the requirements for financial statements in the loan administration procedures. CC ID 16735 Leadership and high level objectives Preventive
    Include loan closing in the loan administration procedures. CC ID 16734 Leadership and high level objectives Preventive
    Include payoff statements in the loan administration procedures. CC ID 16733 Leadership and high level objectives Preventive
    Include payment processing in the loan administration procedures. CC ID 16732 Leadership and high level objectives Preventive
    Include loan reviews in the loan administration procedures. CC ID 16703 Leadership and high level objectives Preventive
    Include collections in the loan administration procedures. CC ID 16701 Leadership and high level objectives Preventive
    Include collateral inspections in the loan administration procedures. CC ID 16699 Leadership and high level objectives Preventive
    Include disbursements in the loan administration procedures. CC ID 16697 Leadership and high level objectives Preventive
    Establish, implement, and maintain a dividend policy. CC ID 16569 Leadership and high level objectives Preventive
    Include compliance requirements in the dividend policy. CC ID 16570 Leadership and high level objectives Preventive
    Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)]
    Leadership and high level objectives Preventive
    Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 Leadership and high level objectives Preventive
    Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 Leadership and high level objectives Preventive
    Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 Leadership and high level objectives Preventive
    Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 Leadership and high level objectives Preventive
    Establish, implement, and maintain securities transaction notifications. CC ID 16600 Leadership and high level objectives Preventive
    Include the call date in the securities transaction notification. CC ID 16680 Leadership and high level objectives Preventive
    Include service charges and commissions in the securities transaction notification. CC ID 16702 Leadership and high level objectives Preventive
    Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 Leadership and high level objectives Preventive
    Include the call price in the securities transaction notification. CC ID 16678 Leadership and high level objectives Preventive
    Include debits and credits in the securities transaction notification. CC ID 16677 Leadership and high level objectives Preventive
    Include transactions in the securities transaction notification. CC ID 16676 Leadership and high level objectives Preventive
    Include the credit rating of securities in the securities transaction notification. CC ID 16674 Leadership and high level objectives Preventive
    Include yield information in the securities transaction notification. CC ID 16673 Leadership and high level objectives Preventive
    Include redemption information in the securities transaction notification. CC ID 16672 Leadership and high level objectives Preventive
    Include the price calculated from the yield in the securities transaction notification. CC ID 16669 Leadership and high level objectives Preventive
    Include the type of call in the securities transaction notification. CC ID 16668 Leadership and high level objectives Preventive
    Include an account statement in the securities transaction notification. CC ID 16666 Leadership and high level objectives Preventive
    Include the yield to maturity in the securities transaction notification. CC ID 16665 Leadership and high level objectives Preventive
    Include the execution price in the securities transaction notification. CC ID 16664 Leadership and high level objectives Preventive
    Include the organization's role in the securities transaction notification. CC ID 16646 Leadership and high level objectives Preventive
    Include the name of the broker in the securities transaction notification. CC ID 16647 Leadership and high level objectives Preventive
    Include the name of the customer in the securities transaction notification. CC ID 16625 Leadership and high level objectives Preventive
    Include the organization's name in the securities transaction notification. CC ID 16624 Leadership and high level objectives Preventive
    Include confirmations in the securities transaction notification. CC ID 16623 Leadership and high level objectives Preventive
    Include remunerations in the securities transaction notification. CC ID 16622 Leadership and high level objectives Preventive
    Include requested information in the securities transaction notification. CC ID 16641 Leadership and high level objectives Preventive
    Include the execution date in the securities transaction notification. CC ID 16620 Leadership and high level objectives Preventive
    Establish, implement, and maintain financial reports. CC ID 14770
    [The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Leadership and high level objectives Preventive
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Leadership and high level objectives Preventive
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Leadership and high level objectives Preventive
    Include the business need justification for lost value in the financial report. CC ID 15588
    [The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Leadership and high level objectives Preventive
    Include financial statements in the financial report, as necessary. CC ID 14775 Leadership and high level objectives Preventive
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Leadership and high level objectives Preventive
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Leadership and high level objectives Preventive
    Include material contingencies in the financial statement. CC ID 16596 Leadership and high level objectives Preventive
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Leadership and high level objectives Preventive
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Leadership and high level objectives Preventive
    Include assets and liabilities in the call report. CC ID 16729 Leadership and high level objectives Preventive
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b)
    To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d)
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)]
    Monitoring and measurement Preventive
    Establish, implement, and maintain a compliance testing strategy. CC ID 00659 Monitoring and measurement Preventive
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Preventive
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Preventive
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Preventive
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Preventive
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Preventive
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Preventive
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Preventive
    Create specific test plans to test each system component. CC ID 00661 Monitoring and measurement Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Preventive
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Preventive
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Preventive
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Preventive
    Review the test plans for each system component. CC ID 00662 Monitoring and measurement Preventive
    Document validated testing processes in the testing procedures. CC ID 06200 Monitoring and measurement Preventive
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Monitoring and measurement Preventive
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671
    [Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: overseeing that the organization performs and behaves according to the expectations set by the governing body; § 4.1 ¶ 3 d)]
    Monitoring and measurement Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654
    [The governing body should: set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; § 4.3.2 ¶ 2 c)]
    Monitoring and measurement Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)]
    Monitoring and measurement Preventive
    Establish, implement, and maintain risk management metrics. CC ID 01656 Monitoring and measurement Preventive
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499
    [Recognize failures and mistakes and take appropriate action. Table 2 Column 2 Row 2 Bullet 5]
    Monitoring and measurement Preventive
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Monitoring and measurement Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Preventive
    Establish, implement, and maintain a security program metrics program. CC ID 01660 Monitoring and measurement Preventive
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)]
    Monitoring and measurement Preventive
    Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661
    [{individual}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: those who can influence the decisions of the governing body (such as member stakeholders, reference stakeholders and other stakeholders who can exert a controlling influence) and the nature and level of influence; § 6.5.3.2 ¶ 1 c) 4)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)]
    Monitoring and measurement Preventive
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Monitoring and measurement Preventive
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 Monitoring and measurement Preventive
    Establish, implement, and maintain an audit metrics program. CC ID 01664 Monitoring and measurement Preventive
    Establish, implement, and maintain an Information Security metrics program. CC ID 01665 Monitoring and measurement Preventive
    Establish, implement, and maintain a metrics standard and template. CC ID 02157
    [The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: § 6.2.3.3 ¶ 1
    The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)
    Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)]
    Monitoring and measurement Preventive
    Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 Monitoring and measurement Preventive
    Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 Monitoring and measurement Preventive
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Monitoring and measurement Preventive
    Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 Monitoring and measurement Preventive
    Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 Monitoring and measurement Preventive
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Monitoring and measurement Preventive
    Establish, implement, and maintain a privacy metrics program. CC ID 15494 Monitoring and measurement Preventive
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Monitoring and measurement Preventive
    Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Monitoring and measurement Preventive
    Establish, implement, and maintain a log management program. CC ID 00673 Monitoring and measurement Preventive
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Monitoring and measurement Preventive
    Include risks and opportunities in the corrective action plan. CC ID 15178 Monitoring and measurement Preventive
    Include environmental aspects in the corrective action plan. CC ID 15177 Monitoring and measurement Preventive
    Include the completion date in the corrective action plan. CC ID 13272 Monitoring and measurement Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Audits and risk management Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Audits and risk management Preventive
    Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 Audits and risk management Preventive
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192 Audits and risk management Preventive
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Audits and risk management Preventive
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Audits and risk management Preventive
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Audits and risk management Preventive
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Audits and risk management Preventive
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Audits and risk management Preventive
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Audits and risk management Preventive
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Audits and risk management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 Audits and risk management Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Audits and risk management Preventive
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Audits and risk management Preventive
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Audits and risk management Preventive
    Establish, implement, and maintain an audit program. CC ID 00684
    [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; § 6.4.3.3 ¶ 1 f)
    Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4]
    Audits and risk management Preventive
    Establish, implement, and maintain audit policies. CC ID 13166 Audits and risk management Preventive
    Include resource requirements in the audit program. CC ID 15237 Audits and risk management Preventive
    Include risks and opportunities in the audit program. CC ID 15236
    [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; § 6.4.3.3 ¶ 1 f)]
    Audits and risk management Preventive
    Establish and maintain audit terms. CC ID 13880 Audits and risk management Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Audits and risk management Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Audits and risk management Preventive
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Audits and risk management Preventive
    Establish, implement, and maintain an in scope system description. CC ID 14873 Audits and risk management Preventive
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Audits and risk management Preventive
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Audits and risk management Preventive
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Audits and risk management Preventive
    Include changes in the audit assertion's in scope system description. CC ID 14894 Audits and risk management Preventive
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Audits and risk management Preventive
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Audits and risk management Preventive
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Audits and risk management Preventive
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Audits and risk management Preventive
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Audits and risk management Preventive
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Audits and risk management Preventive
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Audits and risk management Preventive
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Audits and risk management Preventive
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Audits and risk management Preventive
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Audits and risk management Preventive
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Audits and risk management Preventive
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Audits and risk management Preventive
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Audits and risk management Preventive
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Audits and risk management Preventive
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Audits and risk management Preventive
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Audits and risk management Preventive
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Audits and risk management Preventive
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Audits and risk management Detective
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Audits and risk management Preventive
    Include commitments to third parties in the audit assertion. CC ID 14899 Audits and risk management Preventive
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Audits and risk management Preventive
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Audits and risk management Preventive
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Audits and risk management Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Audits and risk management Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 Audits and risk management Preventive
    Include audit subject matter in the audit program. CC ID 07103 Audits and risk management Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Audits and risk management Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Audits and risk management Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Audits and risk management Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Audits and risk management Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Audits and risk management Preventive
    Include in scope information in the audit program. CC ID 16198 Audits and risk management Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Audits and risk management Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Audits and risk management Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Audits and risk management Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Audits and risk management Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Audits and risk management Preventive
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Audits and risk management Preventive
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Audits and risk management Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Audits and risk management Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Audits and risk management Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Audits and risk management Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Audits and risk management Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Audits and risk management Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Audits and risk management Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Audits and risk management Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Audits and risk management Preventive
    Establish and maintain audit assertions, as necessary. CC ID 14871 Audits and risk management Detective
    Include an in scope system description in the audit assertion. CC ID 14872 Audits and risk management Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Audits and risk management Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Audits and risk management Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Audits and risk management Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Audits and risk management Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Audits and risk management Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Audits and risk management Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Audits and risk management Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Audits and risk management Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Audits and risk management Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Audits and risk management Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Audits and risk management Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Audits and risk management Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Audits and risk management Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Audits and risk management Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Audits and risk management Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Audits and risk management Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Audits and risk management Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Audits and risk management Preventive
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794
    [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: determine the level of assurance scrutiny it requires, depending on the assessed risk; § 6.4.3.3 ¶ 1 a)]
    Audits and risk management Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Audits and risk management Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Audits and risk management Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Audits and risk management Corrective
    Include materiality levels in the audit terms. CC ID 01238 Audits and risk management Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Audits and risk management Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Audits and risk management Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Audits and risk management Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Audits and risk management Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Audits and risk management Preventive
    Edit the audit assertion for accuracy. CC ID 07030 Audits and risk management Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Audits and risk management Preventive
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Audits and risk management Preventive
    Establish, implement, and maintain interview procedures. CC ID 16282 Audits and risk management Preventive
    Establish and maintain work papers, as necessary. CC ID 13891 Audits and risk management Preventive
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Audits and risk management Preventive
    Include audit irregularities in the work papers. CC ID 16774 Audits and risk management Preventive
    Include corrective actions in the work papers. CC ID 16771 Audits and risk management Preventive
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Audits and risk management Preventive
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Audits and risk management Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Audits and risk management Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Audits and risk management Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Audits and risk management Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Audits and risk management Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Audits and risk management Preventive
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Audits and risk management Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Audits and risk management Preventive
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Audits and risk management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Audits and risk management Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Audits and risk management Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Audits and risk management Preventive
    Establish and maintain organizational audit reports. CC ID 06731 Audits and risk management Preventive
    Determine what disclosures are required in the audit report. CC ID 14888 Audits and risk management Detective
    Include audit subject matter in the audit report. CC ID 14882 Audits and risk management Preventive
    Include an other-matter paragraph in the audit report. CC ID 14901 Audits and risk management Preventive
    Write the audit report using clear and conspicuous language. CC ID 13948 Audits and risk management Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Audits and risk management Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Audits and risk management Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Audits and risk management Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Audits and risk management Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Audits and risk management Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Audits and risk management Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Audits and risk management Preventive
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Audits and risk management Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Audits and risk management Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Audits and risk management Preventive
    Include any discussions of significant findings in the audit report. CC ID 13955 Audits and risk management Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Audits and risk management Preventive
    Include the audit criteria in the audit report. CC ID 13945 Audits and risk management Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Audits and risk management Preventive
    Include all hypothetical assumptions in the audit report. CC ID 13947 Audits and risk management Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Audits and risk management Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Audits and risk management Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Audits and risk management Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Audits and risk management Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Audits and risk management Preventive
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Audits and risk management Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Audits and risk management Preventive
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Audits and risk management Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Audits and risk management Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Audits and risk management Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Audits and risk management Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Audits and risk management Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Audits and risk management Preventive
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Audits and risk management Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Audits and risk management Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Audits and risk management Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Audits and risk management Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Audits and risk management Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Audits and risk management Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Audits and risk management Preventive
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Audits and risk management Preventive
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Audits and risk management Preventive
    Include recommended corrective actions in the audit report. CC ID 16197 Audits and risk management Preventive
    Include risks and opportunities in the audit report. CC ID 16196 Audits and risk management Preventive
    Include the description of tests of controls and results in the audit report. CC ID 14898 Audits and risk management Preventive
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Audits and risk management Preventive
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Audits and risk management Preventive
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Audits and risk management Preventive
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Audits and risk management Preventive
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Audits and risk management Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Audits and risk management Preventive
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Audits and risk management Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Audits and risk management Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Audits and risk management Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Audits and risk management Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Audits and risk management Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Audits and risk management Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Audits and risk management Preventive
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Audits and risk management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Audits and risk management Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Audits and risk management Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Audits and risk management Preventive
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Audits and risk management Detective
    Review past audit reports. CC ID 01155 Audits and risk management Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Audits and risk management Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Audits and risk management Detective
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Audits and risk management Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Audits and risk management Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Audits and risk management Preventive
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Audits and risk management Corrective
    Include an audit opinion in the audit report. CC ID 07017 Audits and risk management Preventive
    Include qualified opinions in the audit report. CC ID 13928 Audits and risk management Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Audits and risk management Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Audits and risk management Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Audits and risk management Preventive
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Audits and risk management Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Audits and risk management Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Audits and risk management Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Audits and risk management Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Audits and risk management Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Audits and risk management Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Audits and risk management Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Audits and risk management Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Audits and risk management Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Audits and risk management Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Audits and risk management Corrective
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Audits and risk management Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117
    [Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4]
    Audits and risk management Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Audits and risk management Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Audits and risk management Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148 Audits and risk management Detective
    Accept the audit report. CC ID 07025 Audits and risk management Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777 Audits and risk management Corrective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Audits and risk management Preventive
    Include the audit criteria in the audit plan. CC ID 15262 Audits and risk management Preventive
    Include a list of reference documents in the audit plan. CC ID 15260 Audits and risk management Preventive
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Audits and risk management Preventive
    Include the allocation of resources in the audit plan. CC ID 15251
    [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; § 6.4.3.3 ¶ 1 b)]
    Audits and risk management Preventive
    Include communication protocols in the audit plan. CC ID 15247 Audits and risk management Preventive
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Audits and risk management Preventive
    Include meeting schedules in the audit plan. CC ID 15245 Audits and risk management Preventive
    Include the time frames for the audit in the audit plan. CC ID 15244 Audits and risk management Preventive
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Audits and risk management Preventive
    Include the locations to be audited in the audit plan. CC ID 15242 Audits and risk management Preventive
    Include the processes to be audited in the audit plan. CC ID 15241 Audits and risk management Preventive
    Include audit objectives in the audit plan. CC ID 15240 Audits and risk management Preventive
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Audits and risk management Preventive
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 Audits and risk management Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051
    [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b)
    The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all organizational activities. § 6.9.3.2 ¶ 1
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the intended risk management performance is achieved. § 6.9.3.4 ¶ 1 i)
    {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Audits and risk management Preventive
    Include the scope of risk management activities in the risk management program. CC ID 13658 Audits and risk management Preventive
    Include managing mobile risks in the risk management program. CC ID 13535 Audits and risk management Preventive
    Establish, implement, and maintain risk management strategies. CC ID 13209
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: strategies to manage risk are deployed within agreed risk limits and associated risk tolerance; § 6.9.3.4 ¶ 1 b)]
    Audits and risk management Preventive
    Include off-site storage of supplies in the risk management strategies. CC ID 13221 Audits and risk management Preventive
    Include the use of alternate service providers in the risk management strategies. CC ID 13217 Audits and risk management Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Audits and risk management Preventive
    Include off-site storage in the risk mitigation strategies. CC ID 13213 Audits and risk management Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: § 6.9.3.3 ¶ 1]
    Audits and risk management Preventive
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Audits and risk management Preventive
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Audits and risk management Preventive
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 Audits and risk management Preventive
    Establish, implement, and maintain insurance requirements. CC ID 16562 Audits and risk management Preventive
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Audits and risk management Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Audits and risk management Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Audits and risk management Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Audits and risk management Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Audits and risk management Preventive
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 Audits and risk management Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Audits and risk management Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Audits and risk management Preventive
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Audits and risk management Preventive
    Include compliance requirements in the risk assessment policy. CC ID 14121 Audits and risk management Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Audits and risk management Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Audits and risk management Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Audits and risk management Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Audits and risk management Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Audits and risk management Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the process for assessing risk is consistent throughout the organization, enabling effective comparison and prioritization of risk; § 6.9.3.4 ¶ 1 e)
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)]
    Audits and risk management Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Audits and risk management Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Audits and risk management Preventive
    Document cybersecurity risks. CC ID 12281 Audits and risk management Preventive
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Audits and risk management Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Audits and risk management Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Audits and risk management Preventive
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Audits and risk management Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479
    [The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: § 6.9.3.3 ¶ 1]
    Audits and risk management Preventive
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Audits and risk management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Audits and risk management Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Audits and risk management Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 Audits and risk management Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Audits and risk management Preventive
    Document organizational risk criteria. CC ID 12277
    [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the risk appetite, which involves setting risk criteria and associated limits; § 6.9.3.2 ¶ 2 g)]
    Audits and risk management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Audits and risk management Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Audits and risk management Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Audits and risk management Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Audits and risk management Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Audits and risk management Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Audits and risk management Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Audits and risk management Preventive
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 Audits and risk management Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Audits and risk management Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Audits and risk management Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Audits and risk management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Audits and risk management Detective
    Update the risk assessment upon changes to the risk profile. CC ID 11627 Audits and risk management Detective
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Audits and risk management Preventive
    Create a risk assessment report based on the risk assessment results. CC ID 15695 Audits and risk management Preventive
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Audits and risk management Preventive
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Audits and risk management Preventive
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Audits and risk management Preventive
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Audits and risk management Preventive
    Include pandemic risks in the Business Impact Analysis. CC ID 13219 Audits and risk management Preventive
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 Audits and risk management Preventive
    Establish, implement, and maintain a risk register. CC ID 14828 Audits and risk management Preventive
    Document organizational risk tolerance in a risk register. CC ID 09961 Audits and risk management Preventive
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [{positive impact}Responsible stewardship — The organization: effectively balances positive and negative impacts; § 5 ¶ 2 b) 2)
    The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the risk appetite, which involves setting risk criteria and associated limits; § 6.9.3.2 ¶ 2 g)
    The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: balances the achievement of the value generation objectives against potential impacts; § 6.2.3.3 ¶ 1 a)]
    Audits and risk management Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the choice of risk treatments is consistent with governance policies; § 6.9.3.4 ¶ 1 c)]
    Audits and risk management Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Audits and risk management Detective
    Document the results of the gap analysis. CC ID 16271 Audits and risk management Preventive
    Establish, implement, and maintain a risk treatment plan. CC ID 11983
    [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)]
    Audits and risk management Preventive
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Audits and risk management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Audits and risk management Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Audits and risk management Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Audits and risk management Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Audits and risk management Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Audits and risk management Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Audits and risk management Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Audits and risk management Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Audits and risk management Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Audits and risk management Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Audits and risk management Preventive
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 Audits and risk management Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b)
    The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)]
    Audits and risk management Corrective
    Review and approve the risk assessment findings. CC ID 06485
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)]
    Audits and risk management Preventive
    Include risk responses in the risk management program. CC ID 13195 Audits and risk management Preventive
    Document residual risk in a residual risk report. CC ID 13664 Audits and risk management Corrective
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Audits and risk management Preventive
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Audits and risk management Preventive
    Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 Audits and risk management Preventive
    Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 Audits and risk management Preventive
    Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 Audits and risk management Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Audits and risk management Preventive
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Audits and risk management Preventive
    Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 Audits and risk management Preventive
    Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 Audits and risk management Preventive
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Audits and risk management Preventive
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Audits and risk management Preventive
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Audits and risk management Preventive
    Include management commitment in the supply chain risk management policy. CC ID 14709 Audits and risk management Preventive
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Audits and risk management Preventive
    Include the scope in the supply chain risk management policy. CC ID 14707 Audits and risk management Preventive
    Include the purpose in the supply chain risk management policy. CC ID 14706 Audits and risk management Preventive
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Audits and risk management Preventive
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Audits and risk management Preventive
    Include dates in the supply chain risk management plan. CC ID 15617 Audits and risk management Preventive
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Audits and risk management Preventive
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Audits and risk management Preventive
    Include supply chain risk management procedures in the risk management program. CC ID 13190 Audits and risk management Preventive
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Preventive
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Technical security Preventive
    Add all devices requiring access control to the Access Control List. CC ID 06264 Technical security Preventive
    Include the objects and users subject to access control in the security policy. CC ID 11836 Technical security Preventive
    Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 Technical security Preventive
    Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 Technical security Preventive
    Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 Technical security Preventive
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a continuity framework. CC ID 00732 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752 Operational and Systems Continuity Preventive
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 Operational and Systems Continuity Preventive
    Include the recovery plan in the continuity plan. CC ID 01377 Operational and Systems Continuity Preventive
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a critical third party list. CC ID 06815 Operational and Systems Continuity Preventive
    Define the scope for the security operations center. CC ID 15713 Human Resources management Preventive
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Human Resources management Preventive
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782
    [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: capacity; § 4.3.1 ¶ 1 Bullet 4
    The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: probity; § 4.3.1 ¶ 1 Bullet 5
    The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: commitment. § 4.3.1 ¶ 1 Bullet 6
    The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: § 4.3.1 ¶ 1]
    Human Resources management Preventive
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791
    [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: diversity and inclusion; § 4.3.1 ¶ 1 Bullet 2]
    Human Resources management Preventive
    Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 Human Resources management Preventive
    Define and assign the security staff roles and responsibilities. CC ID 11750 Human Resources management Preventive
    Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 Human Resources management Preventive
    Assign the roles and responsibilities for the asset management system. CC ID 14368 Human Resources management Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018 Human Resources management Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Human Resources management Preventive
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Human Resources management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Human Resources management Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Human Resources management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Human Resources management Preventive
    Document the personnel risk assessment results. CC ID 11764 Human Resources management Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Human Resources management Preventive
    Document the security clearance procedure results. CC ID 01635 Human Resources management Detective
    Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 Human Resources management Preventive
    Establish and maintain an annual report on compensation. CC ID 14801 Human Resources management Preventive
    Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 Human Resources management Preventive
    Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 Human Resources management Preventive
    Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 Human Resources management Preventive
    Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794
    [The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)]
    Human Resources management Preventive
    Establish, implement, and maintain an occupational health and safety policy. CC ID 00716
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)]
    Human Resources management Preventive
    Include a commitment to continuous improvement in the occupational health and safety policy. CC ID 16267 Human Resources management Preventive
    Include risks and opportunities in the occupational health and safety policy. CC ID 16287 Human Resources management Preventive
    Include occupational health and safety objectives in the occupational health and safety policy. CC ID 16262 Human Resources management Preventive
    Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073 Human Resources management Preventive
    Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802 Human Resources management Preventive
    Establish, implement, and maintain food preparation procedures. CC ID 06804 Human Resources management Preventive
    Establish, implement, and maintain food handling procedures. CC ID 11765 Human Resources management Preventive
    Establish, implement, and maintain a conflict of interest policy. CC ID 14785
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: consider its level of independence and the effect this level has on its decision-making, including financial interests, position, associations, relationships, bias and alliances; § 6.8.3.2.1 ¶ 1 c)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: carefully address conflicts of interest when making decisions; § 6.8.3.2.1 ¶ 1 d)
    Disclose actual, potential or perceived conflicts of interest at the earliest opportunity and manage such conflicts appropriately. Table 2 Column 2 Row 2 Bullet 2]
    Human Resources management Preventive
    Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 Human Resources management Preventive
    Include roles and responsibilities in the conflict of interest policy. CC ID 14790 Human Resources management Preventive
    Establish, implement, and maintain a Code of Conduct. CC ID 04897
    [Ethical leadership results in an organizational context and culture that: contributes to the prevention of misconduct; § 6.7.3.3 ¶ 3 Bullet 3
    Act in good faith and in the best interest of the organization. Table 2 Column 2 Row 2 Bullet 1
    {be ethical} Act ethically and in a compliant manner. Table 2 Column 2 Row 2 Bullet 3
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: § 5 ¶ 2 c)
    Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4
    The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)]
    Human Resources management Preventive
    Establish, implement, and maintain a code of conduct for financial recommendations. CC ID 16649 Human Resources management Preventive
    Include anti-coercion requirements and anti-tying requirements in the Code of Conduct. CC ID 16720 Human Resources management Preventive
    Include classifications of ethics violations in the Code of Conduct. CC ID 14769 Human Resources management Preventive
    Include definitions of ethics violations in the Code of Conduct. CC ID 14768 Human Resources management Preventive
    Include exercising due professional care in the Code of Conduct. CC ID 14210
    [Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. Table 2 Column 2 Row 3 Bullet 2
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Human Resources management Preventive
    Include health and safety provisions in the Code of Conduct. CC ID 16206 Human Resources management Preventive
    Include key policies in the Code of Conduct. CC ID 12890 Human Resources management Preventive
    Include responsibilities to the public trust in the Code of Conduct. CC ID 14209 Human Resources management Preventive
    Include the vision statement in the Code of Conduct. CC ID 12889 Human Resources management Preventive
    Include the organization's mission in the Code of Conduct. CC ID 12875 Human Resources management Preventive
    Include classifications of desired conduct in the Code of Conduct. CC ID 12851 Human Resources management Preventive
    Include environmental responsibility criteria in the Code of Conduct. CC ID 16209 Human Resources management Preventive
    Include social responsibility criteria in the Code of Conduct. CC ID 16210 Human Resources management Preventive
    Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment. CC ID 04580 Human Resources management Preventive
    Include labor rights criteria in the Code of Conduct. CC ID 16208 Human Resources management Preventive
    Include the employee's legal responsibilities and rights in the Terms and Conditions of employment. CC ID 15701 Human Resources management Preventive
    Include the legal intellectual property responsibilities in the Code of Conduct. CC ID 04898 Human Resources management Detective
    Include definitions of desirable conduct in the Code of Conduct. CC ID 12846 Human Resources management Preventive
    Include notification procedures for allegations of undesirable conduct in the Code of Conduct. CC ID 12855 Human Resources management Preventive
    Include procedures to identify positive outcomes in the Code of Conduct. CC ID 12854 Human Resources management Preventive
    Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. CC ID 06664 Human Resources management Preventive
    Require all personnel to re-sign the Code of Conduct, as necessary. CC ID 06666 Human Resources management Preventive
    Include information security responsibilities in performance reviews. CC ID 15697 Human Resources management Preventive
    Analyze the documentation produced by staff during the performance review. CC ID 07207 Human Resources management Detective
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Human Resources management Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
    [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b)
    {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2
    Therefore, the governing body should: govern for organizational viability over time. § 6.11.3.1 ¶ 2 c)]
    Operational management Preventive
    Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 Operational management Preventive
    Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 Operational management Preventive
    Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853
    [Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving governance environment. § 4.3.2 ¶ 1
    The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. § 6.3.3.1.2 ¶ 4
    {individual} The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. § 6.3.3.1.2 ¶ 3
    The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)]
    Operational management Preventive
    Establish, implement, and maintain a compliance policy. CC ID 14807 Operational management Preventive
    Include the standard of conduct and accountability in the compliance policy. CC ID 14813
    [{refrain from holding accountable}{do not}{individual} No one should be held accountable for matters over which they have no authority or for which expectations have not been stated or agreed. § 4.2.2 ¶ 3
    Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: demonstrating accountability for this performance and behaviour. § 4.1 ¶ 3 e)]
    Operational management Preventive
    Include the scope in the compliance policy. CC ID 14812 Operational management Preventive
    Include roles and responsibilities in the compliance policy. CC ID 14811 Operational management Preventive
    Include a commitment to continual improvement in the compliance policy. CC ID 14810 Operational management Preventive
    Include management commitment in the compliance policy. CC ID 14808 Operational management Preventive
    Establish, implement, and maintain a governance policy. CC ID 15587
    [The governing body should establish governance policies and ensure that these: § 6.3.3.1.2 ¶ 1
    The governing body should ensure that the governance policies are effectively applied across the organization and that they achieve the governing body's intentions. § 6.3.3.1.2 ¶ 2
    The governing body should ensure that the organizational risk framework, in respect to the management of risk: positions risk as a key consideration in the setting of governance policies (see 6.3); § 6.9.3.2 ¶ 2 c)
    The governing body should establish governance policies and ensure that these: are regularly reviewed, and updated as necessary, to ensure that they remain aligned with the organization's constituting documents, and the organization's changing context, and are based on relevant guidance and best practices such as standards and codes. § 6.3.3.1.2 ¶ 1 h)
    The governing body should establish governance policies and ensure that these: clarify the governing body's intentions and expectations with respect to the organizational purpose, organizational values and the organization's value generation objectives; § 6.3.3.1.2 ¶ 1 a)
    {internal context}The governing body should steer the organizational strategy by means of: governance policies, to ensure that they remain aligned with the organization's changing internal and external context and are current with common or best practice; § 6.3.3.2.2 ¶ 2 d)
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; § 6.8.3.4 ¶ 2 d)]
    Operational management Preventive
    Include a commitment to continuous improvement in the governance policy. CC ID 15595
    [The governing body should establish governance policies and ensure that these: address the governing body's own commitment to continual improvement; § 6.3.3.1.2 ¶ 1 g)]
    Operational management Preventive
    Include roles and responsibilities in the governance policy. CC ID 15594
    [The governing body should establish governance policies and ensure that these: provide guidance on what, rather than detailing how, responsibilities are to be fulfilled; § 6.3.3.1.2 ¶ 1 d)
    The governing body should establish governance policies and ensure that these: define the structures (e.g. committees) and roles involved in the governance of the organization, including their authority, responsibilities, performance and reporting requirements; § 6.3.3.1.2 ¶ 1 c)
    The governing body should establish governance policies and ensure that these: clarify delegations within the organization, including in relation to the strategy process; § 6.3.3.1.2 ¶ 1 b)]
    Operational management Preventive
    Establish, implement, and maintain an internal control framework. CC ID 00820
    [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b)
    {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2]
    Operational management Preventive
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Operational management Preventive
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Operational management Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 Operational management Preventive
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Operational management Preventive
    Include threat assessment in the internal control framework. CC ID 01347 Operational management Preventive
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102
    [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)]
    Operational management Preventive
    Include personnel security procedures in the internal control framework. CC ID 01349 Operational management Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Operational management Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Operational management Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489 Operational management Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359 Operational management Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Operational management Preventive
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Operational management Preventive
    Include emergency response procedures in the internal control framework. CC ID 06779 Operational management Detective
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Operational management Preventive
    Establish, implement, and maintain a cybersecurity policy. CC ID 16833 Operational management Preventive
    Establish, implement, and maintain an information security program. CC ID 00812
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the implementation of a risk-based information security management system (ISMS); § 6.8.3.4 ¶ 2 b)]
    Operational management Preventive
    Include physical safeguards in the information security program. CC ID 12375 Operational management Preventive
    Include technical safeguards in the information security program. CC ID 12374 Operational management Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Operational management Preventive
    Include system development in the information security program. CC ID 12389 Operational management Preventive
    Include system maintenance in the information security program. CC ID 12388 Operational management Preventive
    Include system acquisition in the information security program. CC ID 12387 Operational management Preventive
    Include access control in the information security program. CC ID 12386 Operational management Preventive
    Include operations management in the information security program. CC ID 12385 Operational management Preventive
    Include communication management in the information security program. CC ID 12384 Operational management Preventive
    Include environmental security in the information security program. CC ID 12383 Operational management Preventive
    Include physical security in the information security program. CC ID 12382 Operational management Preventive
    Include human resources security in the information security program. CC ID 12381 Operational management Preventive
    Include asset management in the information security program. CC ID 12380 Operational management Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Operational management Preventive
    Include change management procedures in the continuous monitoring plan. CC ID 16227 Operational management Preventive
    include recovery procedures in the continuous monitoring plan. CC ID 16226 Operational management Preventive
    Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 Operational management Preventive
    Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 Operational management Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Operational management Preventive
    Include risk management in the information security program. CC ID 12378 Operational management Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Operational management Preventive
    Establish, implement, and maintain an information security policy. CC ID 11740 Operational management Preventive
    Include business processes in the information security policy. CC ID 16326 Operational management Preventive
    Include the information security strategy in the information security policy. CC ID 16125 Operational management Preventive
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Operational management Preventive
    Include roles and responsibilities in the information security policy. CC ID 16120 Operational management Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Preventive
    Include information security objectives in the information security policy. CC ID 13493 Operational management Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Preventive
    Include notification procedures in the information security policy. CC ID 16842 Operational management Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Operational management Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Operational management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Operational management Preventive
    Establish, implement, and maintain a social media governance program. CC ID 06536 Operational management Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Operational management Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Operational management Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Operational management Preventive
    Establish, implement, and maintain operational control procedures. CC ID 00831 Operational management Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Operational management Preventive
    Include startup processes in operational control procedures. CC ID 00833 Operational management Preventive
    Include change control processes in the operational control procedures. CC ID 16793 Operational management Preventive
    Establish and maintain a data processing run manual. CC ID 00832 Operational management Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Operational management Preventive
    Include metrics in the standard operating procedures manual. CC ID 14988 Operational management Preventive
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Operational management Preventive
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Operational management Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Operational management Preventive
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Operational management Preventive
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Operational management Preventive
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Operational management Preventive
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Operational management Preventive
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Operational management Preventive
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Operational management Preventive
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Operational management Preventive
    Include contact details in the standard operating procedures manual. CC ID 14962 Operational management Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Operational management Corrective
    Establish, implement, and maintain a job scheduling methodology. CC ID 00834 Operational management Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Operational management Preventive
    Establish, implement, and maintain a data processing continuity plan. CC ID 00836 Operational management Preventive
    Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Operational management Preventive
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Operational management Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Operational management Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894
    [New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: sensitive data are protected and secured. § 6.8.3.4 ¶ 1 Bullet 3]
    Operational management Preventive
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Operational management Preventive
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Operational management Preventive
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Operational management Preventive
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Operational management Preventive
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Operational management Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Operational management Preventive
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Operational management Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Operational management Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Operational management Preventive
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Operational management Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Operational management Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Preventive
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Operational management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Operational management Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Operational management Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Operational management Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Operational management Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Operational management Corrective
    Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 Operational management Preventive
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Operational management Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Operational management Preventive
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Operational management Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Operational management Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Operational management Preventive
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 Operational management Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Operational management Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Operational management Preventive
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Operational management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Operational management Preventive
    Establish, implement, and maintain nondisclosure agreements. CC ID 04536 Operational management Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Operational management Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Operational management Preventive
    Establish, implement, and maintain a use of information agreement. CC ID 06215 Operational management Preventive
    Include use limitations in the use of information agreement. CC ID 06244 Operational management Preventive
    Include disclosure requirements in the use of information agreement. CC ID 11735 Operational management Preventive
    Include information recipients in the use of information agreement. CC ID 06245 Operational management Preventive
    Include reporting out of scope use of information in the use of information agreement. CC ID 06246 Operational management Preventive
    Include disclosure of information in the use of information agreement. CC ID 11830 Operational management Preventive
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 Operational management Preventive
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 Operational management Preventive
    Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 Operational management Preventive
    Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 Operational management Preventive
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: meet compliance obligations; § 6.5.3.2 ¶ 1 d)
    Effective performance — The organization: remains in alignment with its policies and relevant stakeholder expectations. § 5 ¶ 2 a) 4)]
    Operational management Preventive
    Establish, implement, and maintain an asset management policy. CC ID 15219 Operational management Preventive
    Establish, implement, and maintain asset management procedures. CC ID 16748 Operational management Preventive
    Include life cycle requirements in the security management program. CC ID 16392 Operational management Preventive
    Include program objectives in the asset management program. CC ID 14413 Operational management Preventive
    Include a commitment to continual improvement in the asset management program. CC ID 14412 Operational management Preventive
    Include compliance with applicable requirements in the asset management program. CC ID 14411 Operational management Preventive
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Operational management Preventive
    Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 Operational management Preventive
    Define confidentiality controls. CC ID 01908 Operational management Preventive
    Establish, implement, and maintain the systems' availability level. CC ID 01905 Operational management Preventive
    Define integrity controls. CC ID 01909 Operational management Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906 Operational management Preventive
    Define availability controls. CC ID 01911 Operational management Preventive
    Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 Operational management Preventive
    Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 Operational management Preventive
    Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 Operational management Preventive
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 Operational management Preventive
    Assign decomposed system components the same asset classification as the originating system. CC ID 06605 Operational management Preventive
    Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 Operational management Preventive
    Include all account types in the Information Technology inventory. CC ID 13311 Operational management Preventive
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Operational management Preventive
    Categorize all major applications according to the business information they process. CC ID 07182 Operational management Preventive
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Operational management Preventive
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Operational management Preventive
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Operational management Preventive
    Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 Operational management Preventive
    Establish, implement, and maintain a hardware asset inventory. CC ID 00691 Operational management Preventive
    Include network equipment in the Information Technology inventory. CC ID 00693 Operational management Preventive
    Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 Operational management Preventive
    Include software in the Information Technology inventory. CC ID 00692 Operational management Preventive
    Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 Operational management Preventive
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Operational management Preventive
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 Operational management Detective
    Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 Operational management Preventive
    Add inventoried assets to the asset register database, as necessary. CC ID 07051 Operational management Preventive
    Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 Operational management Preventive
    Record the decommission date for applicable assets in the asset inventory. CC ID 14920 Operational management Preventive
    Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 Operational management Preventive
    Record the review date for applicable assets in the asset inventory. CC ID 14919 Operational management Preventive
    Record services for applicable assets in the asset inventory. CC ID 13733 Operational management Preventive
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Operational management Preventive
    Record the software version in the asset inventory. CC ID 12196 Operational management Preventive
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Operational management Preventive
    Record the authentication system in the asset inventory. CC ID 13724 Operational management Preventive
    Tag unsupported assets in the asset inventory. CC ID 13723 Operational management Preventive
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Operational management Preventive
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Operational management Preventive
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Operational management Preventive
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Operational management Preventive
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Operational management Preventive
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Operational management Preventive
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Operational management Preventive
    Record the department associated with the asset in the asset inventory. CC ID 12084 Operational management Preventive
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Operational management Preventive
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Operational management Preventive
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Operational management Preventive
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Operational management Preventive
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Operational management Preventive
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Operational management Preventive
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Operational management Preventive
    Record the owner for applicable assets in the asset inventory. CC ID 06640 Operational management Preventive
    Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 Operational management Preventive
    Record all changes to assets in the asset inventory. CC ID 12190 Operational management Preventive
    Record cloud service derived data in the asset inventory. CC ID 13007 Operational management Preventive
    Include cloud service customer data in the asset inventory. CC ID 13006 Operational management Preventive
    Establish, implement, and maintain a software accountability policy. CC ID 00868 Operational management Preventive
    Establish, implement, and maintain software asset management procedures. CC ID 00895 Operational management Preventive
    Establish, implement, and maintain software archives procedures. CC ID 00866 Operational management Preventive
    Establish, implement, and maintain software distribution procedures. CC ID 00894 Operational management Preventive
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Operational management Preventive
    Establish, implement, and maintain software license management procedures. CC ID 06639 Operational management Preventive
    Establish, implement, and maintain digital legacy procedures. CC ID 16524 Operational management Preventive
    Establish, implement, and maintain a system redeployment program. CC ID 06276 Operational management Preventive
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Operational management Preventive
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Operational management Preventive
    Establish, implement, and maintain a system disposal program. CC ID 14431 Operational management Preventive
    Establish, implement, and maintain disposal procedures. CC ID 16513 Operational management Preventive
    Establish, implement, and maintain asset sanitization procedures. CC ID 16511 Operational management Preventive
    Establish, implement, and maintain system destruction procedures. CC ID 16474 Operational management Preventive
    Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 Operational management Preventive
    Establish, implement, and maintain a system preventive maintenance program. CC ID 00885
    [The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: actively contribute to conserving and restoring these systems. § 6.11.3.1 ¶ 1 Bullet 2]
    Operational management Preventive
    Establish and maintain maintenance reports. CC ID 11749 Operational management Preventive
    Establish and maintain system inspection reports. CC ID 06346 Operational management Preventive
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Operational management Preventive
    Include compliance requirements in the system maintenance policy. CC ID 14217 Operational management Preventive
    Include management commitment in the system maintenance policy. CC ID 14216 Operational management Preventive
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Operational management Preventive
    Include the scope in the system maintenance policy. CC ID 14214 Operational management Preventive
    Include the purpose in the system maintenance policy. CC ID 14187 Operational management Preventive
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Operational management Preventive
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Operational management Preventive
    Establish, implement, and maintain a technology refresh plan. CC ID 13061 Operational management Preventive
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Operational management Preventive
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Operational management Preventive
    Establish, implement, and maintain an end-of-life management process. CC ID 16540 Operational management Preventive
    Establish, implement, and maintain disposal contracts. CC ID 12199 Operational management Preventive
    Include disposal procedures in disposal contracts. CC ID 13905 Operational management Preventive
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Operational management Preventive
    Establish, implement, and maintain a data stewardship policy. CC ID 06657 Operational management Preventive
    Establish and maintain an unauthorized software list. CC ID 10601 Operational management Preventive
    Establish, implement, and maintain a customer service program. CC ID 00846 Operational management Preventive
    Include detection procedures in the Incident Management program. CC ID 00588 Operational management Preventive
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Operational management Preventive
    Update the incident response procedures using the lessons learned. CC ID 01233
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)]
    Operational management Preventive
    Establish, implement, and maintain a performance management standard. CC ID 01615
    [The governing body should oversee the organization's performance to ensure that it meets the governing body's intentions for, and expectations of, the organization, its ethical behaviour and its compliance obligations. § 6.4.1 ¶ 1
    Ethical and effective leadership should be demonstrated in three areas: the performance of the organization as a whole; § 6.7.3.1 ¶ 4 b)
    The governing body should oversee the organization's performance to ensure that it meets the governing body's intentions for, and expectations of, the organization, its ethical behaviour and its compliance obligations. Table 1 Column 4 Row 5
    Effective performance — The organization: performs as required; § 5 ¶ 2 a) 2)]
    Operational management Preventive
    Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679 Operational management Preventive
    Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 Operational management Preventive
    Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 Operational management Preventive
    Establish, implement, and maintain a cost management program. CC ID 13638 Operational management Preventive
    Establish, implement, and maintain an information management program. CC ID 14315
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)]
    Records management Preventive
    Establish, implement, and maintain records management procedures. CC ID 11619 Records management Preventive
    Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 Records management Preventive
    Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 Records management Preventive
    Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 Records management Preventive
    Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816 Acquisition or sale of facilities, technology, and services Preventive
    Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain notice and take-down procedures. CC ID 09963 Acquisition or sale of facilities, technology, and services Preventive
    Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975 Acquisition or sale of facilities, technology, and services Preventive
    Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976 Acquisition or sale of facilities, technology, and services Preventive
    Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Preventive
    Establish, implement, and maintain data access procedures. CC ID 00414
    [The governing body should: ensure that all relevant stakeholders are able to access the reports and disclosures, as far as is reasonable, and are therefore suitably equipped with the information necessary to make informed assessments of the organization's past performance, current performance and performance over time. § 6.5.3.2 ¶ 2 Bullet 3]
    Privacy protection for information and data Preventive
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Preventive
    Define what is to be included in a data access request. CC ID 08699 Privacy protection for information and data Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Preventive
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Preventive
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data collection program. CC ID 06487
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Privacy protection for information and data Preventive
    Post the collection purpose. CC ID 00101 Privacy protection for information and data Preventive
    Document each individual's personal data collection consent preferences. CC ID 06945 Privacy protection for information and data Preventive
    Establish and maintain a personal data definition. CC ID 00028 Privacy protection for information and data Preventive
    Include the number of children in the personal data definition. CC ID 13759 Privacy protection for information and data Preventive
    Include the individual's religion in the personal data definition. CC ID 13765 Privacy protection for information and data Preventive
    Include an individual's political party affiliation in the personal data definition. CC ID 13764 Privacy protection for information and data Preventive
    Include an individual's license plate number in the personal data definition. CC ID 13763 Privacy protection for information and data Preventive
    Include an individual's account balances in the personal data definition. CC ID 13770 Privacy protection for information and data Preventive
    Include an individual's logon credentials in the personal data definition. CC ID 13771 Privacy protection for information and data Preventive
    Include an individual's military identification number in the personal data definition. CC ID 13083 Privacy protection for information and data Preventive
    Refrain from including publicly available information in the personal data definition. CC ID 13084 Privacy protection for information and data Preventive
    Notify parents or legal representatives of what information is collected from children. CC ID 00040 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Privacy protection for information and data Preventive
    Provide the data subject with information about the data controller during the collection process. CC ID 00023 Privacy protection for information and data Preventive
    Provide the data subject with the data collector's name and contact information. CC ID 00024 Privacy protection for information and data Preventive
    Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 Privacy protection for information and data Preventive
    Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 Privacy protection for information and data Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Preventive
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361
    [{be within}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: are transparent but also within the limits of confidentiality; § 6.5.3.2 ¶ 1 f)]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain suspicious document procedures. CC ID 04852 Privacy protection for information and data Detective
    Establish, implement, and maintain data handling procedures. CC ID 11756 Privacy protection for information and data Preventive
    Establish, implement, and maintain a supply chain management program. CC ID 11742 Third Party and supply chain oversight Preventive
    Document the organization's supply chain in the supply chain management program. CC ID 09958 Third Party and supply chain oversight Preventive
    Document supply chain dependencies in the supply chain management program. CC ID 08900
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)]
    Third Party and supply chain oversight Detective
  • Human Resources Management
    98
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 Leadership and high level objectives Preventive
    Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 Leadership and high level objectives Preventive
    Assign senior management to approve business cases. CC ID 13068 Leadership and high level objectives Preventive
    Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094 Leadership and high level objectives Preventive
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Monitoring and measurement Detective
    Assign senior management to approve test plans. CC ID 13071 Monitoring and measurement Preventive
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Monitoring and measurement Preventive
    Assign the Board of Directors to address audit findings. CC ID 12396
    [Assurance processes that inform the governing body independently and accurately include: direct verifications by the governing body; § 6.4.3.3 ¶ 2 Bullet 1]
    Audits and risk management Corrective
    Include roles and responsibilities in the interview procedures. CC ID 16297 Audits and risk management Preventive
    Identify the audit team members in the audit report. CC ID 15259 Audits and risk management Detective
    Assign responsibility for remediation actions. CC ID 13622 Audits and risk management Preventive
    Evaluate the competency of auditors. CC ID 15253 Audits and risk management Detective
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Audits and risk management Detective
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Audits and risk management Preventive
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Audits and risk management Preventive
    Define roles for information systems. CC ID 12454 Technical security Preventive
    Define access needs for each role assigned to an information system. CC ID 12455 Technical security Preventive
    Establish, implement, and maintain a security operations center. CC ID 14762 Human Resources management Preventive
    Designate an alternate for each organizational leader. CC ID 12053 Human Resources management Preventive
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 Human Resources management Preventive
    Establish and maintain board committees, as necessary. CC ID 14789
    [The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)]
    Human Resources management Preventive
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources management Preventive
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources management Preventive
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources management Preventive
    Assign members who are independent from management to the Board of Directors. CC ID 12395
    [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: independence of thought and action; § 4.3.1 ¶ 1 Bullet 3]
    Human Resources management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662
    [The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1
    The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1
    To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: oversee the organization's risk management activities. § 6.9.3.1 ¶ 2 c)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: § 6.9.3.4 ¶ 1]
    Human Resources management Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources management Preventive
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources management Corrective
    Define and assign board committees, as necessary. CC ID 14787 Human Resources management Preventive
    Define and assign risk committees, as necessary. CC ID 14795 Human Resources management Preventive
    Define and assign audit committees, as necessary. CC ID 14788 Human Resources management Preventive
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 Human Resources management Preventive
    Define and assign compensation committees, as necessary. CC ID 14793 Human Resources management Preventive
    Define and assign the network administrator's roles and responsibilities. CC ID 16363 Human Resources management Preventive
    Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 Human Resources management Preventive
    Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 Human Resources management Preventive
    Define and assign roles and responsibilities for network management. CC ID 13128 Human Resources management Preventive
    Define and assign the authorized representatives roles and responsibilities. CC ID 15033 Human Resources management Preventive
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources management Preventive
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources management Preventive
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources management Preventive
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources management Preventive
    Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 Human Resources management Preventive
    Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 Human Resources management Preventive
    Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 Human Resources management Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267
    ["Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters. The governing body should ensure the clarity of roles and responsibilities of all involved and hold accountable those to whom they delegate. § 4.2.3 ¶ 1]
    Human Resources management Preventive
    Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 Human Resources management Preventive
    Document the use of external experts. CC ID 16263 Human Resources management Preventive
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660
    [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; § 6.9.3.2 ¶ 2 a)]
    Human Resources management Preventive
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources management Preventive
    Assign the roles and responsibilities for the change control program. CC ID 13118 Human Resources management Preventive
    Assign responsibility for cyber threat intelligence. CC ID 12746 Human Resources management Preventive
    Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 Human Resources management Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607 Human Resources management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 Human Resources management Preventive
    Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 Human Resources management Preventive
    Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 Human Resources management Preventive
    Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 Human Resources management Preventive
    Assign the role of data controller to provide advice, when requested. CC ID 12611 Human Resources management Preventive
    Define and assign the roles and responsibilities of security guards. CC ID 12543 Human Resources management Preventive
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626 Human Resources management Preventive
    Define and assign the roles for Legal Support Workers. CC ID 13711 Human Resources management Preventive
    Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822
    [The governing body should steer the organizational strategy by means of: succession planning for the critical roles in the organization, including emergency succession arrangements; § 6.3.3.2.2 ¶ 2 f)]
    Human Resources management Preventive
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources management Detective
    Perform a background check during personnel screening. CC ID 11758 Human Resources management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources management Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources management Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources management Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources management Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources management Preventive
    Establish and maintain security clearances. CC ID 01634 Human Resources management Preventive
    Implement a staff rotation plan. CC ID 12772 Human Resources management Preventive
    Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806
    [{be fair}{be responsible}{be transparent}The governing body should steer the organizational strategy by means of: the organization's approach to compensation, ensuring that compensation is, and remains, fair, responsible and transparent; § 6.3.3.2.2 ¶ 2 h)]
    Human Resources management Preventive
    Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815
    [The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)]
    Human Resources management Preventive
    Require regular vacations for personnel using restricted information or sensitive information. CC ID 06550 Human Resources management Preventive
    Provide protective face masks for critical personnel, as necessary. CC ID 06803 Human Resources management Preventive
    Vaccinate critical employees, as necessary. CC ID 06805 Human Resources management Preventive
    Establish, implement, and maintain a travel program for all personnel. CC ID 10597 Human Resources management Preventive
    Establish, implement, and maintain a process to identify any potential health hazards, environmental hazards, or safety hazards, that could affect personnel while traveling internationally. CC ID 06076 Human Resources management Preventive
    Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 Human Resources management Preventive
    Include the information security responsibilities of employees in their performance objectives. CC ID 15700 Human Resources management Preventive
    Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783 Human Resources management Detective
    Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799 Human Resources management Preventive
    Establish, implement, and maintain an ethics program. CC ID 11496
    [When defining the organizational values, the governing body should ensure that: it is clear what ethical behaviour is expected as a result of the organizational values; § 6.1.3.3 ¶ 1 b)
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b)
    The governing body should ensure ethical leadership across all areas. § 6.7.3.3 ¶ 1]
    Human Resources management Preventive
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 Human Resources management Preventive
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources management Preventive
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources management Preventive
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523
    ["Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters. The governing body should ensure the clarity of roles and responsibilities of all involved and hold accountable those to whom they delegate. § 4.2.3 ¶ 1
    Governance is exercised throughout the organization by governing groups, including: § 4.2.1 ¶ 1
    Governance is exercised throughout the organization by governing groups, including: member stakeholders; § 4.2.1 ¶ 1 Bullet 1
    Governance is exercised throughout the organization by governing groups, including: managers; § 4.2.1 ¶ 1 Bullet 3
    Governance is exercised throughout the organization by governing groups, including: other internal functions of the organization. § 4.2.1 ¶ 1 Bullet 4
    {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. Table 1 Column 4 Row 6
    The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. § 6.3.3.1.2 ¶ 4
    {individual} The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. § 6.3.3.1.2 ¶ 3
    Accountable people can delegate to others. However, it should be made clear that those who delegate remain accountable for their delegate's use of that authority. § 4.2.2 ¶ 4
    {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. § 6.5.1 ¶ 1
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Operational management Preventive
    Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 Operational management Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Operational management Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Operational management Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729 Operational management Preventive
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Operational management Preventive
    Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 Operational management Preventive
  • IT Impact Zone
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Investigate
    24
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Check the list of material topics for completeness. CC ID 15692 Leadership and high level objectives Preventive
    Ensure the data dictionary is complete and accurate. CC ID 13527 Leadership and high level objectives Detective
    Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 Leadership and high level objectives Detective
    Determine the amount of assets to be held in escrow. CC ID 16575 Leadership and high level objectives Detective
    Determine the causes of compliance violations. CC ID 12401 Monitoring and measurement Corrective
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Monitoring and measurement Detective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Monitoring and measurement Detective
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Audits and risk management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Audits and risk management Detective
    Audit information systems, as necessary. CC ID 13010
    [{be responsible}{be ethical}The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; § 6.8.3.4 ¶ 2 c)]
    Audits and risk management Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Audits and risk management Detective
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Audits and risk management Detective
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Audits and risk management Detective
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Audits and risk management Detective
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Audits and risk management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Audits and risk management Detective
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Audits and risk management Preventive
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Human Resources management Preventive
    Perform social network analysis, as necessary. CC ID 14864 Operational management Detective
    Analyze the incident response process following an incident response. CC ID 13179
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)]
    Operational management Detective
    Assess consumer complaints and litigation. CC ID 16521 Acquisition or sale of facilities, technology, and services Preventive
    Confirm the data quality of personal data collected from third parties. CC ID 13510 Privacy protection for information and data Detective
    Review the methods for collecting personal data, as necessary. CC ID 13511 Privacy protection for information and data Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Privacy protection for information and data Detective
  • Log Management
    23
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Monitoring and measurement Detective
    Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 Monitoring and measurement Preventive
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Monitoring and measurement Detective
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Monitoring and measurement Detective
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Monitoring and measurement Detective
    Restrict access to logs to authorized individuals. CC ID 01342 Monitoring and measurement Preventive
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Monitoring and measurement Preventive
    Back up logs according to backup procedures. CC ID 01344 Monitoring and measurement Preventive
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Monitoring and measurement Preventive
    Identify hosts with logs that are not being stored. CC ID 06314 Monitoring and measurement Preventive
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Monitoring and measurement Preventive
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Monitoring and measurement Preventive
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Monitoring and measurement Preventive
    Protect logs from unauthorized activity. CC ID 01345 Monitoring and measurement Preventive
    Perform testing and validating activities on all logs. CC ID 06322 Monitoring and measurement Preventive
    Archive the audit trail in accordance with compliance requirements. CC ID 00674 Monitoring and measurement Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594 Monitoring and measurement Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Audits and risk management Detective
    Log the performance of all remote maintenance. CC ID 13202 Operational management Preventive
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Preventive
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Preventive
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Privacy protection for information and data Detective
    Log dates for account name changes or address changes. CC ID 04876 Privacy protection for information and data Detective
  • Maintenance
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Use system components only when third party support is available. CC ID 10644 Operational management Preventive
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Operational management Preventive
    Conduct offsite maintenance in authorized facilities. CC ID 16473 Operational management Preventive
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Operational management Preventive
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Operational management Preventive
    Restart systems on a periodic basis. CC ID 16498 Operational management Preventive
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Operational management Preventive
    Follow the maintenance schedule. CC ID 11791 Operational management Preventive
  • Monitor and Evaluate Occurrences
    63
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Leadership and high level objectives Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Leadership and high level objectives Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Leadership and high level objectives Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Leadership and high level objectives Preventive
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Leadership and high level objectives Preventive
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: characteristics of the organization such as organizational type, structure, size, interdependencies, complexity, culture and its expected future progression; § 5 ¶ 5 Bullet 4
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b)]
    Leadership and high level objectives Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)]
    Leadership and high level objectives Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)]
    Leadership and high level objectives Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: short-, medium- and long-term trends including social responsibility and sustainability trends; § 6.9.3.2 ¶ 2 d) 2)]
    Leadership and high level objectives Detective
    Monitor for new Information Security solutions. CC ID 07078 Leadership and high level objectives Detective
    Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 Leadership and high level objectives Detective
    Monitor the performance of the margin system. CC ID 16655 Leadership and high level objectives Detective
    Monitor the usage and capacity of critical assets. CC ID 14825
    [The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: measurement and tracking of the organization's use of, and impact on, these resources; § 6.2.3.1 ¶ 4 b)]
    Monitoring and measurement Detective
    Monitor the usage and capacity of Information Technology assets. CC ID 00668 Monitoring and measurement Detective
    Monitor all outbound traffic from all systems. CC ID 12970 Monitoring and measurement Preventive
    Monitor systems for errors and faults. CC ID 04544 Monitoring and measurement Detective
    Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 Monitoring and measurement Detective
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585
    [{be responsible}{be ethical}The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; § 6.8.3.4 ¶ 2 c)]
    Monitoring and measurement Detective
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225 Monitoring and measurement Detective
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitoring and measurement Detective
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitoring and measurement Preventive
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitoring and measurement Detective
    Detect unauthorized access to systems. CC ID 06798 Monitoring and measurement Detective
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitoring and measurement Detective
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitoring and measurement Detective
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitoring and measurement Detective
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitoring and measurement Preventive
    Monitor the organization's exposure to threats, as necessary. CC ID 06494 Monitoring and measurement Preventive
    Monitor and evaluate environmental threats. CC ID 13481 Monitoring and measurement Detective
    Monitor for new vulnerabilities. CC ID 06843 Monitoring and measurement Preventive
    Monitor devices continuously for conformance with production specifications. CC ID 06201 Monitoring and measurement Detective
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitoring and measurement Detective
    Establish, implement, and maintain compliance program metrics. CC ID 11625 Monitoring and measurement Preventive
    Monitor the performance of the governance, risk, and compliance capability. CC ID 12857
    [To exercise effective oversight, the governing body should: assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. § 6.4.3.1 ¶ 1 d)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; § 6.4.3.2 ¶ 1 d)
    Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3
    To ensure that the organization is acting in a socially responsible way, the governing body should: measure performance against objectives related to socially responsible behaviour; § 6.10.3 ¶ 1 g)
    The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)]
    Monitoring and measurement Preventive
    Monitor the organizational culture. CC ID 12782
    [The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: the organizational culture is responsive to relevant stakeholders' views; § 6.6.3 ¶ 3 b)
    The governing body should steer the organizational strategy by means of: the organizational culture, including the cultural tone the governing body sets through its ethos; § 6.3.3.2.2 ¶ 2 a)]
    Monitoring and measurement Preventive
    Monitor for changes to the organizational culture that have a cumulative effect on organizational objectives. CC ID 12886 Monitoring and measurement Preventive
    Monitor for changes to the organizational culture that have a cumulative effect on strategies. CC ID 12885 Monitoring and measurement Preventive
    Monitor for changes to the organizational culture that have an indirect effect on strategies. CC ID 12884 Monitoring and measurement Preventive
    Monitor for changes to the organizational culture that have an indirect effect on organizational objectives. CC ID 12883 Monitoring and measurement Preventive
    Monitor for changes to the organizational culture that have a direct effect on strategies. CC ID 12882 Monitoring and measurement Preventive
    Monitor for changes to the organizational culture that have a direct effect on organizational objectives. CC ID 12881 Monitoring and measurement Detective
    Establish, implement, and maintain a corrective action plan. CC ID 00675
    [When defining the organizational values, the governing body should ensure that: corrective action can be taken. § 6.1.3.3 ¶ 1 e)
    To exercise effective oversight, the governing body should: take corrective action; § 6.4.3.1 ¶ 1 c)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: § 6.4.3.2 ¶ 1
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's identification of, and engagement with, relevant stakeholders (see 6.6); § 6.4.3.2 ¶ 1 e)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)
    For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Improvements should be applied as the result of feedback from reporting, disclosure and dialogue activities. § 6.5.3.2 ¶ 3
    {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2
    The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a)
    Recognize failures and mistakes and take appropriate action. Table 2 Column 2 Row 2 Bullet 5
    The governing body should oversee organizational performance by assessing and taking corrective action based on: compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; § 6.4.3.2 ¶ 1 d)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); § 6.4.3.2 ¶ 1 h)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)
    {be financially sound}The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's financial results and financial resources, ensuring that the organization remains financially sound; § 6.4.3.2 ¶ 1 f)
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Monitoring and measurement Detective
    Include monitoring in the corrective action plan. CC ID 11645 Monitoring and measurement Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Audits and risk management Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Audits and risk management Preventive
    Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 Audits and risk management Preventive
    Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 Audits and risk management Preventive
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Human Resources management Preventive
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872
    [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: integrity and transparency in fulfilling its obligations, and commitments; § 5 ¶ 2 c) 4)
    When defining the organizational values, the governing body should ensure that: the expected ethical behaviour can be assessed; § 6.1.3.3 ¶ 1 c)]
    Human Resources management Preventive
    Monitor and review the effectiveness of the information security program. CC ID 12744 Operational management Preventive
    Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 Operational management Corrective
    Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 Operational management Corrective
    Automate software license monitoring, as necessary. CC ID 07057 Operational management Preventive
    Establish, implement, and maintain data accuracy controls. CC ID 00921
    [To exercise effective oversight, the governing body should: assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. § 6.4.3.1 ¶ 1 d)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)]
    Records management Detective
    Check communications for take-down requests. CC ID 09964 Acquisition or sale of facilities, technology, and services Preventive
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Privacy protection for information and data Preventive
    Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 Privacy protection for information and data Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Privacy protection for information and data Corrective
    Review accounts that are changed for additional user requests. CC ID 11846 Privacy protection for information and data Detective
    Review monitored websites for data leakage. CC ID 10593 Privacy protection for information and data Detective
  • Physical and Environmental Protection
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Maintain a 1 to 2 day supply of water and nonperishable food at the facility in case public utilities are interrupted. CC ID 06074 Human Resources management Preventive
    Install duress alarms in susceptible public areas. CC ID 06075 Human Resources management Preventive
    Conduct environmental surveys. CC ID 00690 Operational management Preventive
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Operational management Preventive
    Control and monitor all maintenance tools. CC ID 01432 Operational management Detective
    Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 Operational management Preventive
    Refrain from protecting physical assets when no longer required. CC ID 13484 Operational management Corrective
  • Process or Activity
    96
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 Leadership and high level objectives Detective
    Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 Leadership and high level objectives Preventive
    Identify barriers to stakeholder engagement. CC ID 15676 Leadership and high level objectives Preventive
    Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 Leadership and high level objectives Preventive
    Route notifications, as necessary. CC ID 12832 Leadership and high level objectives Preventive
    Substantiate notifications, as necessary. CC ID 12831 Leadership and high level objectives Preventive
    Prioritize notifications, as necessary. CC ID 12830 Leadership and high level objectives Preventive
    Establish and maintain the organization's survey method. CC ID 12869 Leadership and high level objectives Preventive
    Provide a consolidated view of information in the organization's survey method. CC ID 12894 Leadership and high level objectives Preventive
    Review and approve the material topics, as necessary. CC ID 15670 Leadership and high level objectives Preventive
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Leadership and high level objectives Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Leadership and high level objectives Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Leadership and high level objectives Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942
    [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's need for, and access to, resources, including financial resources; § 6.3.3.1.1 ¶ 2 f)]
    Leadership and high level objectives Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Leadership and high level objectives Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Leadership and high level objectives Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Leadership and high level objectives Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: value generation model and organizational strategy; § 5 ¶ 5 Bullet 5]
    Leadership and high level objectives Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936
    [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: organizational capabilities and opportunities. § 6.1.3.2 ¶ 1 e)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)]
    Leadership and high level objectives Preventive
    Identify the external forces that may affect organizational objectives. CC ID 12960
    [The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the relevant external systems on which the organization depends; § 6.11.3.3 ¶ 1 a)]
    Leadership and high level objectives Preventive
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Leadership and high level objectives Preventive
    Identify events that may affect organizational objectives. CC ID 12961 Leadership and high level objectives Preventive
    Identify conditions that may affect organizational objectives. CC ID 12958
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: intended strategic outcomes; § 6.9.3.2 ¶ 2 d) 6)]
    Leadership and high level objectives Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Leadership and high level objectives Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805
    [{social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e)
    Therefore, the governing body should: ensure that the natural environmental, social and economic system relationships that underpin the organization's value generation model are identified and assessed; § 6.11.3.1 ¶ 2 b)]
    Leadership and high level objectives Preventive
    Identify all interested personnel and affected parties. CC ID 12845
    [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1]
    Leadership and high level objectives Detective
    Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584
    [When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. § 6.6.3 ¶ 2]
    Leadership and high level objectives Preventive
    Determine progress toward the objectives of the strategic plan. CC ID 12944
    [The governing body should: develop, and competently use, appropriate criteria for measurement that will indicate progress towards the fulfilment of the organizational purpose, within the set parameters, via the organizational strategy; § 4.3.2 ¶ 2 b)
    Ethical and effective leadership is demonstrated when the governing body: ensures that the organization is, and is seen to be, following the expectations as set. § 6.7.3.1 ¶ 3 Bullet 3
    The outcomes, whether positive or negative, are determined by the expectations which have been set. Leadership determines whether these expectations are fulfilled. § 6.7.3.2 ¶ 2
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the envisaged time scales of the strategic outcomes and of the organizational strategy; § 6.3.3.1.1 ¶ 2 b)]
    Leadership and high level objectives Preventive
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847
    [To ensure that the organization is acting in a socially responsible way, the governing body should: steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); § 6.10.3 ¶ 1 f)
    When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: functional requirements of the organizational governance framework. § 5 ¶ 5 Bullet 7
    The governing body should ensure that: the organizational purpose is core to its governance practices, deliberations and decision-making; § 6.1.3.2 ¶ 2 Bullet 3
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    Ensure that diversity and inclusion are understood and incorporated into all organizational decision-making by including factors such as gender, age, ethnicity, sexual orientation, education, perspectives, nationality, disability and beliefs. Table 2 Column 2 Row 5 Bullet 1
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; § 6.9.3.4 ¶ 1 g)]
    Leadership and high level objectives Preventive
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843
    [Ethical and effective leadership is demonstrated when the governing body: sets expectations for the organization using robust decision-making processes (see 6.8.3); § 6.7.3.1 ¶ 3 Bullet 1
    Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. § 6.1.3.4 ¶ 3]
    Leadership and high level objectives Preventive
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 Leadership and high level objectives Preventive
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 Leadership and high level objectives Preventive
    Take actions in accordance with the decision-making criteria. CC ID 12909
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h)
    A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: mapping an associated action plan. § 6.7.3.4 ¶ 2 e)]
    Leadership and high level objectives Preventive
    Include ongoing monitoring in the financial management program. CC ID 16762 Leadership and high level objectives Preventive
    Employ tools to manage settlement and funding flows. CC ID 16743 Leadership and high level objectives Preventive
    Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 Leadership and high level objectives Preventive
    Analyze the effectiveness of the stress test plan. CC ID 16657 Leadership and high level objectives Detective
    Align the lending policy with the organization's risk acceptance level. CC ID 16716 Leadership and high level objectives Preventive
    Include customer due diligence in the loan administration procedures. CC ID 16736 Leadership and high level objectives Preventive
    Assess the properties of the margin model used in the margin system. CC ID 16658 Leadership and high level objectives Detective
    Analyze the performance of the margin system. CC ID 16654 Leadership and high level objectives Detective
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Corrective
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Preventive
    Correct compliance violations. CC ID 13515 Monitoring and measurement Corrective
    Convert data into standard units before reporting metrics. CC ID 15507 Monitoring and measurement Corrective
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Audits and risk management Preventive
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Audits and risk management Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Audits and risk management Detective
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Audits and risk management Preventive
    Coordinate the scheduling of interviews. CC ID 16293 Audits and risk management Preventive
    Create a schedule for the interviews. CC ID 16292 Audits and risk management Preventive
    Identify interviewees. CC ID 16290 Audits and risk management Preventive
    Discuss unsolved questions with the interviewee. CC ID 16298 Audits and risk management Detective
    Allow interviewee to respond to explanations. CC ID 16296 Audits and risk management Detective
    Explain the requirements being discussed to the interviewee. CC ID 16294 Audits and risk management Detective
    Explain the testing results to the interviewee. CC ID 16291 Audits and risk management Preventive
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Audits and risk management Corrective
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Audits and risk management Preventive
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Audits and risk management Detective
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Audits and risk management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Audits and risk management Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Audits and risk management Detective
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Audits and risk management Detective
    Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 Technical security Preventive
    Include all residences in the criminal records check. CC ID 13306 Human Resources management Preventive
    Scan devices for malicious code when an individual returns from locations deemed to be of risk. CC ID 10599 Human Resources management Detective
    Include organizational values in the Code of Conduct. CC ID 12919
    [Within the organization: The governing body should ensure that the organization conducts itself in a manner consistent with its organizational values. § 6.7.3.3 ¶ 1 b)
    Laws and rules provide the minimum set of organizational values against which behaviour is assessed. Other organizational values (see 6.1) are provided in collectively agreed documents such as a code of conduct, code of ethics or standards of behaviour. The following are examples of the leadership values to which governing bodies, and the individuals comprising them, are held: § 6.7.3.3 ¶ 2
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. § 6.1.3.4 ¶ 3]
    Human Resources management Preventive
    Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 Operational management Preventive
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)]
    Operational management Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Operational management Preventive
    Review and approve access controls, as necessary. CC ID 13074 Operational management Detective
    Provide management direction and support for the information security program. CC ID 11999 Operational management Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Operational management Preventive
    Define thresholds for approving information security activities in the information security program. CC ID 15702 Operational management Preventive
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Operational management Preventive
    Provide support for information sharing activities. CC ID 15644 Operational management Preventive
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: limits of the decision-making authority are applied based on the associated level of risk, in particular where automated decision-making is used; § 6.8.3.2.2 ¶ 1 b)
    Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. § 4.2.2 ¶ 5]
    Operational management Preventive
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Operational management Preventive
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818
    [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: set the tone for the organization with respect to how the management of risk is to be approached; § 6.9.3.1 ¶ 2 a)
    To ensure that the organization is acting in a socially responsible way, the governing body should: assess how actions of individual members of the governing body influence social responsibility. § 6.10.3 ¶ 1 i)
    In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2
    Set the tone for the organization by behaving in the manner in which the organization and its personnel are expected to behave. Table 2 Column 2 Row 2 Bullet 4
    The governing body should steer the organizational strategy by means of: the organizational culture, including the cultural tone the governing body sets through its ethos; § 6.3.3.2.2 ¶ 2 a)]
    Operational management Preventive
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817
    [Ethical and effective leadership should be demonstrated in three areas: the functioning of the governing body; § 6.7.3.1 ¶ 4 a)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: pay attention to the dynamics of the governing body, including, for example, undue reliance on any one member for decision-making; § 6.8.3.2.1 ¶ 1 e)
    The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)]
    Operational management Preventive
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816
    [The governing body should: assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; § 4.3.2 ¶ 2 d)]
    Operational management Preventive
    Analyze the organizational culture. CC ID 12899 Operational management Preventive
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Operational management Detective
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Operational management Detective
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920
    [Ethical and effective leadership is demonstrated when the governing body: behaves in a manner consistent with the defined organizational values; § 6.7.3.1 ¶ 3 Bullet 2
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a)
    Within the governing body: The members of the governing body should demonstrate that they are behaving in a manner consistent with the organizational values. § 6.7.3.3 ¶ 1 a)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a)]
    Operational management Detective
    Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; § 6.5.3.2 ¶ 1 b) 2)
    When defining the organizational values, the governing body should ensure that: the governing body itself understands the consequences of unethical behaviour including bribery, fraud and corruption; § 6.1.3.3 ¶ 1 d)
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Operational management Corrective
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Operational management Preventive
    Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 Operational management Preventive
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Operational management Preventive
    Establish, implement, and maintain data completeness controls. CC ID 11649
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)]
    Records management Preventive
    Allow data subjects to submit data requests. CC ID 16545 Privacy protection for information and data Preventive
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Privacy protection for information and data Preventive
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Privacy protection for information and data Preventive
    Search the Internet for evidence of data leakage. CC ID 10419 Privacy protection for information and data Detective
    Alert appropriate personnel when data leakage is detected. CC ID 14715 Privacy protection for information and data Preventive
    Take appropriate action when a data leakage is discovered. CC ID 14716 Privacy protection for information and data Corrective
  • Records Management
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Audits and risk management Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974 Operational management Preventive
    Include source code in the asset inventory. CC ID 14858 Operational management Preventive
    Compare each record's data input to its final form. CC ID 11813 Records management Detective
    Establish and maintain access controls for all records. CC ID 00371
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)]
    Records management Preventive
    Submit personal data removal requests in writing. CC ID 11973 Privacy protection for information and data Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Privacy protection for information and data Corrective
  • Systems Continuity
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Back up audit trails according to backup procedures. CC ID 11642 Monitoring and measurement Preventive
    Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374
    [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)]
    Operational and Systems Continuity Detective
    Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 Operational and Systems Continuity Preventive
    Restore systems and environments to be operational. CC ID 13476
    [{environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Operational and Systems Continuity Corrective
  • Systems Design, Build, and Implementation
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Leadership and high level objectives Preventive
    Include an issue tracking system in the Quality Management program. CC ID 06824 Leadership and high level objectives Preventive
    Apply security controls to each level of the information classification standard. CC ID 01903 Operational management Preventive
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 Operational management Preventive
    Review each system's operational readiness. CC ID 06275 Operational management Preventive
  • Technical Security
    42
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Leadership and high level objectives Detective
    Establish, implement, and maintain a network activity baseline. CC ID 13188 Monitoring and measurement Detective
    Deploy log normalization tools, as necessary. CC ID 12141 Monitoring and measurement Preventive
    Restrict access to audit trails to a need to know basis. CC ID 11641 Monitoring and measurement Preventive
    Analyze the organization's information security environment. CC ID 13122 Audits and risk management Preventive
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Audits and risk management Preventive
    Control access rights to organizational assets. CC ID 00004
    [{procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)]
    Technical security Preventive
    Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 Technical security Preventive
    Define access needs for each system component of an information system. CC ID 12456 Technical security Preventive
    Define the level of privilege required for each system component of an information system. CC ID 12457 Technical security Preventive
    Establish access rights based on least privilege. CC ID 01411 Technical security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical security Preventive
    Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 Technical security Preventive
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical security Preventive
    Establish session authenticity through Transport Layer Security. CC ID 01627 Technical security Preventive
    Include all system components in the access control system. CC ID 11939 Technical security Preventive
    Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 Technical security Preventive
    Enable attribute-based access control for objects and users on information systems. CC ID 16351 Technical security Preventive
    Enable role-based access control for objects and users on information systems. CC ID 12458 Technical security Preventive
    Enforce access restrictions for change control. CC ID 01428 Technical security Preventive
    Permit a limited set of user actions absent identification and authentication. CC ID 04849 Technical security Preventive
    Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 Technical security Preventive
    Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 Technical security Preventive
    Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 Technical security Preventive
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960
    [{be different} The degree of separation of duties between the governing body and managers varies according to organizational needs and circumstances. In certain circumstances, such as an executive member of the governing body, an individual can be required to fulfil both governance and management responsibilities. In such cases, it is important for that person to be able to distinguish when they are fulfilling the different responsibilities and act and behave accordingly. § 4.2.3 ¶ 2]
    Human Resources management Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Operational management Preventive
    Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 Operational management Preventive
    Link the authentication system to the asset inventory. CC ID 13718 Operational management Preventive
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Operational management Detective
    Prevent users from disabling required software. CC ID 16417 Operational management Preventive
    Control remote maintenance according to the system's asset classification. CC ID 01433 Operational management Preventive
    Approve all remote maintenance sessions. CC ID 10615 Operational management Preventive
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Operational management Preventive
    Employ dedicated systems during system maintenance. CC ID 12108 Operational management Preventive
    Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 Operational management Preventive
    Employ a random number generator to create authenticators. CC ID 13782 Privacy protection for information and data Preventive
    Provide unobservability of users and resources. CC ID 04551 Privacy protection for information and data Preventive
    Protect electronic messaging information. CC ID 12022 Privacy protection for information and data Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Privacy protection for information and data Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Privacy protection for information and data Preventive
    Implement security measures to protect personal data. CC ID 13606 Privacy protection for information and data Preventive
  • Testing
    48
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Leadership and high level objectives Detective
    Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 Leadership and high level objectives Preventive
    Test the collateral requirements for appropriateness. CC ID 16681 Leadership and high level objectives Preventive
    Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 Leadership and high level objectives Preventive
    Include stress scenarios in the stress test plan. CC ID 16659 Leadership and high level objectives Preventive
    Perform stress testing in accordance with the stress test plan. CC ID 16652 Leadership and high level objectives Preventive
    Validate the margin system on a regular basis. CC ID 16660 Leadership and high level objectives Detective
    Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Monitoring and measurement Preventive
    Test compliance controls for proper functionality. CC ID 00660 Monitoring and measurement Detective
    Establish, implement, and maintain a system security plan. CC ID 01922
    [{environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Monitoring and measurement Preventive
    Adhere to the system security plan. CC ID 11640 Monitoring and measurement Detective
    Validate all testing assumptions in the test plans. CC ID 00663 Monitoring and measurement Detective
    Require testing procedures to be complete. CC ID 00664 Monitoring and measurement Detective
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Monitoring and measurement Preventive
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Monitoring and measurement Detective
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152
    [Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3
    Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4]
    Audits and risk management Detective
    Review the external audit assertion for accuracy. CC ID 06977 Audits and risk management Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978 Audits and risk management Detective
    Conduct onsite inspections, as necessary. CC ID 16199 Audits and risk management Preventive
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Audits and risk management Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Audits and risk management Detective
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Audits and risk management Detective
    Document test plans for auditing in scope controls. CC ID 06985 Audits and risk management Detective
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Audits and risk management Detective
    Determine the effectiveness of in scope controls. CC ID 06984 Audits and risk management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Audits and risk management Detective
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 Audits and risk management Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Audits and risk management Preventive
    Conduct interviews, as necessary. CC ID 07188 Audits and risk management Detective
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Audits and risk management Detective
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Audits and risk management Detective
    Submit an audit report that is complete. CC ID 01145 Audits and risk management Detective
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150
    [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; § 6.4.3.3 ¶ 1 b)
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance providers have the necessary competency and capacity and that their efforts are appropriately focused; § 6.4.3.3 ¶ 1 c)
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: carefully scrutinize the ability of any external assurance providers, to provide independent assurance (see NOTE 1); § 6.4.3.3 ¶ 1 e)
    Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. § 6.4.3.3 ¶ 3]
    Audits and risk management Detective
    Establish, implement, and maintain the audit plan. CC ID 01156 Audits and risk management Detective
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d)
    {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Audits and risk management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601 Audits and risk management Detective
    Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 Technical security Detective
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: competence (relevant knowledge and understanding, skills and experience); § 4.3.1 ¶ 1 Bullet 1
    The governing body should: ensure it has the right combination of knowledge, skills and experience to understand the operations of the organization and the markets in which it operates; § 4.3.2 ¶ 2 a)
    The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: § 4.3.1 ¶ 1
    {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2]
    Human Resources management Detective
    Perform a drug test during personnel screening. CC ID 06648 Human Resources management Preventive
    Assign and staff all roles appropriately. CC ID 00784 Human Resources management Detective
    Implement segregation of duties in roles and responsibilities. CC ID 00774 Human Resources management Detective
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 Operational management Detective
    Conduct maintenance with authorized personnel. CC ID 01434 Operational management Detective
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203 Operational management Detective
    Test for detrimental environmental factors after a system is disposed. CC ID 06938 Operational management Detective
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Privacy protection for information and data Detective
    Implement physical controls to protect personal data. CC ID 00355 Privacy protection for information and data Preventive
    Conduct personal data risk assessments. CC ID 00357 Privacy protection for information and data Detective
Common Controls and
mandates by Classification
226 Mandated Controls - bold    
70 Implied Controls - italic     2044 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
2340 Total
  • Corrective
    42
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Leadership and high level objectives Communicate
    Correct errors and deficiencies in a timely manner. CC ID 13501
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)]
    Leadership and high level objectives Business Processes
    Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 Leadership and high level objectives Business Processes
    Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 Leadership and high level objectives Establish/Maintain Documentation
    Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 Monitoring and measurement Communicate
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Process or Activity
    Determine the causes of compliance violations. CC ID 12401 Monitoring and measurement Investigate
    Correct compliance violations. CC ID 13515 Monitoring and measurement Process or Activity
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: consequences, such as sanctions, for the non-fulfilment of a responsibility or non-adherence to established parameters are enforceable. § 4.2.2 ¶ 2 e)]
    Monitoring and measurement Behavior
    Convert data into standard units before reporting metrics. CC ID 15507 Monitoring and measurement Process or Activity
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: its assessment of the governance outcomes achieved. § 5 ¶ 7 Bullet 2
    Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3
    Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, risk management and compliance management as independent control functions; § 6.4.3.3 ¶ 2 Bullet 2]
    Monitoring and measurement Actionable Reports or Measurements
    Assign the Board of Directors to address audit findings. CC ID 12396
    [Assurance processes that inform the governing body independently and accurately include: direct verifications by the governing body; § 6.4.3.3 ¶ 2 Bullet 1]
    Audits and risk management Human Resources Management
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Audits and risk management Establish/Maintain Documentation
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Audits and risk management Process or Activity
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and risk management Audits and Risk Management
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Audits and risk management Establish/Maintain Documentation
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Audits and risk management Establish/Maintain Documentation
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Audits and risk management Business Processes
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Audits and risk management Establish/Maintain Documentation
    Implement a corrective action plan in response to the audit report. CC ID 06777 Audits and risk management Establish/Maintain Documentation
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Audits and risk management Actionable Reports or Measurements
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Audits and risk management Acquisition/Sale of Assets or Services
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Audits and risk management Establish/Maintain Documentation
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b)
    The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)]
    Audits and risk management Establish/Maintain Documentation
    Document residual risk in a residual risk report. CC ID 13664 Audits and risk management Establish/Maintain Documentation
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Technical security Communicate
    Restore systems and environments to be operational. CC ID 13476
    [{environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Operational and Systems Continuity Systems Continuity
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources management Human Resources Management
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [{be ethical}{be effective} Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. § 6.7.3.4 ¶ 3
    {be ethical}{be effective} Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. § 6.7.3.4 ¶ 3]
    Human Resources management Behavior
    Respond to ethics complaints of ethics violations. CC ID 11497 Human Resources management Business Processes
    Measure policy compliance when reviewing the internal control framework. CC ID 06442
    [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)]
    Operational management Actionable Reports or Measurements
    Update operating procedures that contribute to user errors. CC ID 06935 Operational management Establish/Maintain Documentation
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; § 6.5.3.2 ¶ 1 b) 2)
    When defining the organizational values, the governing body should ensure that: the governing body itself understands the consequences of unethical behaviour including bribery, fraud and corruption; § 6.1.3.3 ¶ 1 d)
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Operational management Process or Activity
    Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 Operational management Monitor and Evaluate Occurrences
    Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 Operational management Monitor and Evaluate Occurrences
    Refrain from protecting physical assets when no longer required. CC ID 13484 Operational management Physical and Environmental Protection
    Process product return requests. CC ID 11598 Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Refrain from returning products absent a return request authorization. CC ID 11599 Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Privacy protection for information and data Records Management
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Privacy protection for information and data Monitor and Evaluate Occurrences
    Take appropriate action when a data leakage is discovered. CC ID 14716 Privacy protection for information and data Process or Activity
  • Detective
    329
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 Leadership and high level objectives Process or Activity
    Identify all interested personnel and affected parties. CC ID 12845
    [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1]
    Leadership and high level objectives Process or Activity
    Approve the data classification scheme. CC ID 13858 Leadership and high level objectives Establish/Maintain Documentation
    Ensure the data dictionary is complete and accurate. CC ID 13527 Leadership and high level objectives Investigate
    Monitor regulatory trends to maintain compliance. CC ID 00604
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: short-, medium- and long-term trends including social responsibility and sustainability trends; § 6.9.3.2 ¶ 2 d) 2)]
    Leadership and high level objectives Monitor and Evaluate Occurrences
    Monitor for new Information Security solutions. CC ID 07078 Leadership and high level objectives Monitor and Evaluate Occurrences
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Leadership and high level objectives Technical Security
    Enforce a continuous Quality Control system. CC ID 01005 Leadership and high level objectives Business Processes
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Leadership and high level objectives Testing
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Leadership and high level objectives Business Processes
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Leadership and high level objectives Business Processes
    Analyze organizational policies, as necessary. CC ID 14037 Leadership and high level objectives Establish/Maintain Documentation
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain a compliance oversight committee. CC ID 00765
    [The governing body should direct and oversee the organization to ensure accountability is practised throughout (see 6.4). § 6.5.3.3 ¶ 2
    {be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2]
    Leadership and high level objectives Establish Roles
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 Leadership and high level objectives Establish/Maintain Documentation
    Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 Leadership and high level objectives Establish/Maintain Documentation
    Identify and document the events that initiate the decision management strategy. CC ID 06914
    [A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: recognizing and identifying the dilemma; § 6.7.3.4 ¶ 2 a)]
    Leadership and high level objectives Establish/Maintain Documentation
    Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 Leadership and high level objectives Monitor and Evaluate Occurrences
    Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 Leadership and high level objectives Investigate
    Verify all required information is attached to each funds transfer. CC ID 16755 Leadership and high level objectives Business Processes
    Analyze the effectiveness of the stress test plan. CC ID 16657 Leadership and high level objectives Process or Activity
    Validate the margin system on a regular basis. CC ID 16660 Leadership and high level objectives Testing
    Assess the properties of the margin model used in the margin system. CC ID 16658 Leadership and high level objectives Process or Activity
    Monitor the performance of the margin system. CC ID 16655 Leadership and high level objectives Monitor and Evaluate Occurrences
    Analyze the performance of the margin system. CC ID 16654 Leadership and high level objectives Process or Activity
    Determine the amount of assets to be held in escrow. CC ID 16575 Leadership and high level objectives Investigate
    Monitor the usage and capacity of critical assets. CC ID 14825
    [The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: measurement and tracking of the organization's use of, and impact on, these resources; § 6.2.3.1 ¶ 4 b)]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor the usage and capacity of Information Technology assets. CC ID 00668 Monitoring and measurement Monitor and Evaluate Occurrences
    Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 Monitoring and measurement Behavior
    Monitor systems for errors and faults. CC ID 04544 Monitoring and measurement Monitor and Evaluate Occurrences
    Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637 Monitoring and measurement Log Management
    Monitor systems for inappropriate usage and other security violations. CC ID 00585
    [{be responsible}{be ethical}The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; § 6.8.3.4 ¶ 2 c)]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitoring and measurement Monitor and Evaluate Occurrences
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Monitoring and measurement Human Resources Management
    Detect unauthorized access to systems. CC ID 06798 Monitoring and measurement Monitor and Evaluate Occurrences
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitoring and measurement Monitor and Evaluate Occurrences
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitoring and measurement Monitor and Evaluate Occurrences
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor and evaluate environmental threats. CC ID 13481 Monitoring and measurement Monitor and Evaluate Occurrences
    Test compliance controls for proper functionality. CC ID 00660 Monitoring and measurement Testing
    Adhere to the system security plan. CC ID 11640 Monitoring and measurement Testing
    Validate all testing assumptions in the test plans. CC ID 00663 Monitoring and measurement Testing
    Require testing procedures to be complete. CC ID 00664 Monitoring and measurement Testing
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Monitoring and measurement Testing
    Monitor devices continuously for conformance with production specifications. CC ID 06201 Monitoring and measurement Monitor and Evaluate Occurrences
    Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Monitoring and measurement Actionable Reports or Measurements
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitoring and measurement Monitor and Evaluate Occurrences
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Monitoring and measurement Business Processes
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Monitoring and measurement Investigate
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Monitoring and measurement Investigate
    Report on the policies and controls that have been implemented by management. CC ID 01670 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique active user identifiers. CC ID 02074 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of users with access to shared accounts. CC ID 04573 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Monitoring and measurement Log Management
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Monitoring and measurement Log Management
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Monitoring and measurement Log Management
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Monitoring and measurement Actionable Reports or Measurements
    Report on the mean time from patch availability to patch installation. CC ID 02114 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a network activity baseline. CC ID 13188 Monitoring and measurement Technical Security
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Monitoring and measurement Actionable Reports or Measurements
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Monitoring and measurement Actionable Reports or Measurements
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Monitoring and measurement Actionable Reports or Measurements
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Monitoring and measurement Actionable Reports or Measurements
    Monitor for changes to the organizational culture that have a direct effect on organizational objectives. CC ID 12881 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain a corrective action plan. CC ID 00675
    [When defining the organizational values, the governing body should ensure that: corrective action can be taken. § 6.1.3.3 ¶ 1 e)
    To exercise effective oversight, the governing body should: take corrective action; § 6.4.3.1 ¶ 1 c)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: § 6.4.3.2 ¶ 1
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's identification of, and engagement with, relevant stakeholders (see 6.6); § 6.4.3.2 ¶ 1 e)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)
    For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Improvements should be applied as the result of feedback from reporting, disclosure and dialogue activities. § 6.5.3.2 ¶ 3
    {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2
    The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a)
    Recognize failures and mistakes and take appropriate action. Table 2 Column 2 Row 2 Bullet 5
    The governing body should oversee organizational performance by assessing and taking corrective action based on: compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; § 6.4.3.2 ¶ 1 d)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); § 6.4.3.2 ¶ 1 h)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)
    {be financially sound}The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's financial results and financial resources, ensuring that the organization remains financially sound; § 6.4.3.2 ¶ 1 f)
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Include monitoring in the corrective action plan. CC ID 11645 Monitoring and measurement Monitor and Evaluate Occurrences
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152
    [Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3
    Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4]
    Audits and risk management Testing
    Review the external audit assertion for accuracy. CC ID 06977 Audits and risk management Testing
    Review the risk assessments as compared to the in scope controls. CC ID 06978 Audits and risk management Testing
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and risk management Audits and Risk Management
    Determine if requested services create a threat to independence. CC ID 16823 Audits and risk management Audits and Risk Management
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Audits and risk management Establish/Maintain Documentation
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and risk management Audits and Risk Management
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and risk management Audits and Risk Management
    Establish and maintain audit assertions, as necessary. CC ID 14871 Audits and risk management Establish/Maintain Documentation
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and risk management Audits and Risk Management
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and risk management Audits and Risk Management
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and risk management Audits and Risk Management
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Audits and risk management Investigate
    Audit information systems, as necessary. CC ID 13010
    [{be responsible}{be ethical}The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; § 6.8.3.4 ¶ 2 c)]
    Audits and risk management Investigate
    Audit the potential costs of compromise to information systems. CC ID 13012 Audits and risk management Investigate
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Audits and risk management Testing
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Audits and risk management Testing
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and risk management Audits and Risk Management
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Audits and risk management Process or Activity
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Audits and risk management Testing
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Audits and risk management Process or Activity
    Document test plans for auditing in scope controls. CC ID 06985 Audits and risk management Testing
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Audits and risk management Testing
    Determine the effectiveness of in scope controls. CC ID 06984 Audits and risk management Testing
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and risk management Audits and Risk Management
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and risk management Audits and Risk Management
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and risk management Audits and Risk Management
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and risk management Audits and Risk Management
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and risk management Audits and Risk Management
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and risk management Audits and Risk Management
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and risk management Audits and Risk Management
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Audits and risk management Testing
    Conduct interviews, as necessary. CC ID 07188 Audits and risk management Testing
    Verify statements made by interviewees are correct. CC ID 16299 Audits and risk management Behavior
    Discuss unsolved questions with the interviewee. CC ID 16298 Audits and risk management Process or Activity
    Allow interviewee to respond to explanations. CC ID 16296 Audits and risk management Process or Activity
    Explain the requirements being discussed to the interviewee. CC ID 16294 Audits and risk management Process or Activity
    Explain the goals of the interview to the interviewee. CC ID 07189 Audits and risk management Behavior
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and risk management Audits and Risk Management
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Audits and risk management Testing
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Audits and risk management Testing
    Review the subject matter expert's findings. CC ID 16559 Audits and risk management Audits and Risk Management
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Audits and risk management Investigate
    Determine what disclosures are required in the audit report. CC ID 14888 Audits and risk management Establish/Maintain Documentation
    Identify the audit team members in the audit report. CC ID 15259 Audits and risk management Human Resources Management
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and risk management Audits and Risk Management
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and risk management Audits and Risk Management
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Audits and risk management Establish/Maintain Documentation
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and risk management Audits and Risk Management
    Review past audit reports. CC ID 01155 Audits and risk management Establish/Maintain Documentation
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Audits and risk management Establish/Maintain Documentation
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Audits and risk management Establish/Maintain Documentation
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Audits and risk management Investigate
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Audits and risk management Process or Activity
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Audits and risk management Log Management
    Review the issues of non-compliance from past audit reports. CC ID 01148 Audits and risk management Establish/Maintain Documentation
    Submit an audit report that is complete. CC ID 01145 Audits and risk management Testing
    Review management's response to issues raised in past audit reports. CC ID 01149 Audits and risk management Audits and Risk Management
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150
    [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; § 6.4.3.3 ¶ 1 b)
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance providers have the necessary competency and capacity and that their efforts are appropriately focused; § 6.4.3.3 ¶ 1 c)
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: carefully scrutinize the ability of any external assurance providers, to provide independent assurance (see NOTE 1); § 6.4.3.3 ¶ 1 e)
    Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. § 6.4.3.3 ¶ 3]
    Audits and risk management Testing
    Evaluate the competency of auditors. CC ID 15253 Audits and risk management Human Resources Management
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain the audit plan. CC ID 01156 Audits and risk management Testing
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Audits and risk management Business Processes
    Analyze the risk management strategy for addressing requirements. CC ID 12926 Audits and risk management Audits and Risk Management
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and risk management Audits and Risk Management
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and risk management Audits and Risk Management
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Audits and risk management Human Resources Management
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Audits and risk management Investigate
    Review the risk profiles, as necessary. CC ID 16561 Audits and risk management Audits and Risk Management
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Audits and risk management Establish/Maintain Documentation
    Update the risk assessment upon changes to the risk profile. CC ID 11627 Audits and risk management Establish/Maintain Documentation
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and risk management Audits and Risk Management
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Audits and risk management Investigate
    Conduct a Business Impact Analysis, as necessary. CC ID 01147 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [{be dependent}{environmental system}{social system}The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: directly dependent; § 6.11.3.4 ¶ 1 Bullet 1
    {be independent}{environmental system}{social system}The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: not directly dependent but whose ability to be sustained will be affected by the governing body's decisions. § 6.11.3.4 ¶ 1 Bullet 2]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b)
    {be responsible}{be accurate}The governing body should ensure that the organizational risk framework, in respect to the management of risk: mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). § 6.9.3.2 ¶ 2 h)
    {positive impact}The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the organization's positive and negative impacts on these systems. § 6.11.3.3 ¶ 1 c)
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)
    {social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's impact on stakeholders; § 6.3.3.1.1 ¶ 2 h)
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and risk management Audits and Risk Management
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Audits and risk management Investigate
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Audits and risk management Actionable Reports or Measurements
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and risk management Audits and Risk Management
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 Audits and risk management Establish/Maintain Documentation
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Audits and risk management Process or Activity
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Audits and risk management Process or Activity
    Determine the effectiveness of risk control measures. CC ID 06601 Audits and risk management Testing
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and risk management Audits and Risk Management
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and risk management Audits and Risk Management
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Audits and risk management Process or Activity
    Disallow application IDs from running as privileged users. CC ID 10050 Technical security Configuration
    Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 Technical security Testing
    Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374
    [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)]
    Operational and Systems Continuity Systems Continuity
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: competence (relevant knowledge and understanding, skills and experience); § 4.3.1 ¶ 1 Bullet 1
    The governing body should: ensure it has the right combination of knowledge, skills and experience to understand the operations of the organization and the markets in which it operates; § 4.3.2 ¶ 2 a)
    The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: § 4.3.1 ¶ 1
    {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2]
    Human Resources management Testing
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources management Human Resources Management
    Perform a background check during personnel screening. CC ID 11758 Human Resources management Human Resources Management
    Document the personnel risk assessment results. CC ID 11764 Human Resources management Establish/Maintain Documentation
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources management Human Resources Management
    Document the security clearance procedure results. CC ID 01635 Human Resources management Establish/Maintain Documentation
    Document and communicate role descriptions to all applicable personnel. CC ID 00776 Human Resources management Establish Roles
    Assign and staff all roles appropriately. CC ID 00784 Human Resources management Testing
    Implement segregation of duties in roles and responsibilities. CC ID 00774 Human Resources management Testing
    Evaluate the staffing requirements regularly. CC ID 00775 Human Resources management Business Processes
    Scan devices for malicious code when an individual returns from locations deemed to be of risk. CC ID 10599 Human Resources management Process or Activity
    Include the legal intellectual property responsibilities in the Code of Conduct. CC ID 04898 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain performance reviews. CC ID 14777
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)]
    Human Resources management Business Processes
    Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783 Human Resources management Human Resources Management
    Conduct staff performance reviews, as necessary. CC ID 07205
    [{individual}The governing body should steer the organizational strategy by means of: monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; § 6.3.3.2.2 ¶ 2 g)]
    Human Resources management Business Processes
    Analyze the documentation produced by staff during the performance review. CC ID 07207 Human Resources management Establish/Maintain Documentation
    Review the relevance of information supporting internal controls. CC ID 12420 Operational management Business Processes
    Include emergency response procedures in the internal control framework. CC ID 06779 Operational management Establish/Maintain Documentation
    Review and approve access controls, as necessary. CC ID 13074 Operational management Process or Activity
    Perform social network analysis, as necessary. CC ID 14864 Operational management Investigate
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Operational management Process or Activity
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Operational management Process or Activity
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920
    [Ethical and effective leadership is demonstrated when the governing body: behaves in a manner consistent with the defined organizational values; § 6.7.3.1 ¶ 3 Bullet 2
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a)
    Within the governing body: The members of the governing body should demonstrate that they are behaving in a manner consistent with the organizational values. § 6.7.3.3 ¶ 1 a)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a)]
    Operational management Process or Activity
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 Operational management Establish/Maintain Documentation
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Operational management Technical Security
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 Operational management Testing
    Control and monitor all maintenance tools. CC ID 01432 Operational management Physical and Environmental Protection
    Conduct maintenance with authorized personnel. CC ID 01434 Operational management Testing
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203 Operational management Testing
    Test for detrimental environmental factors after a system is disposed. CC ID 06938 Operational management Testing
    Analyze the incident response process following an incident response. CC ID 13179
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)]
    Operational management Investigate
    Use proactive performance management. CC ID 00937 Operational management Business Processes
    Utilize resource availability management controls. CC ID 00940 Operational management Business Processes
    Identify and allocate departmental costs. CC ID 00871 Operational management Business Processes
    Justify the system's cost and benefit. CC ID 00874
    [Issues of particular concern to a governing body are where the organization benefits but where the costs for that benefit are incurred by another party. These are sometimes referred to as "negative externalities" or "unpriced impacts" and can be both financial or non-financial in nature. In such cases, the governing body should account for these benefits. § 6.10.3 ¶ 2]
    Operational management Business Processes
    Ensure data sets have the appropriate characteristics. CC ID 15000 Records management Data and Information Management
    Ensure data sets are complete, are accurate, and are relevant. CC ID 14999 Records management Data and Information Management
    Establish, implement, and maintain data accuracy controls. CC ID 00921
    [To exercise effective oversight, the governing body should: assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. § 6.4.3.1 ¶ 1 d)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)]
    Records management Monitor and Evaluate Occurrences
    Compare each record's data input to its final form. CC ID 11813 Records management Records Management
    Include complete information in the take-down request. CC ID 09965 Acquisition or sale of facilities, technology, and services Business Processes
    Include the complainant's contact information in the take-down request. CC ID 09966 Acquisition or sale of facilities, technology, and services Business Processes
    Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967 Acquisition or sale of facilities, technology, and services Business Processes
    Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968 Acquisition or sale of facilities, technology, and services Business Processes
    Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969 Acquisition or sale of facilities, technology, and services Business Processes
    Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971 Acquisition or sale of facilities, technology, and services Business Processes
    Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972 Acquisition or sale of facilities, technology, and services Business Processes
    Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974 Acquisition or sale of facilities, technology, and services Business Processes
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 Privacy protection for information and data Behavior
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Behavior
    Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 Privacy protection for information and data Business Processes
    Confirm the data quality of personal data collected from third parties. CC ID 13510 Privacy protection for information and data Investigate
    Review the methods for collecting personal data, as necessary. CC ID 13511 Privacy protection for information and data Investigate
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Privacy protection for information and data Testing
    Conduct personal data risk assessments. CC ID 00357 Privacy protection for information and data Testing
    Establish, implement, and maintain suspicious document procedures. CC ID 04852 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 Privacy protection for information and data Data and Information Management
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 Privacy protection for information and data Monitor and Evaluate Occurrences
    Perform an identity check prior to approving an account change request. CC ID 13670 Privacy protection for information and data Investigate
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Privacy protection for information and data Behavior
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Privacy protection for information and data Data and Information Management
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Privacy protection for information and data Log Management
    Log dates for account name changes or address changes. CC ID 04876 Privacy protection for information and data Log Management
    Review accounts that are changed for additional user requests. CC ID 11846 Privacy protection for information and data Monitor and Evaluate Occurrences
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Privacy protection for information and data Data and Information Management
    Search the Internet for evidence of data leakage. CC ID 10419 Privacy protection for information and data Process or Activity
    Review monitored websites for data leakage. CC ID 10593 Privacy protection for information and data Monitor and Evaluate Occurrences
    Document supply chain dependencies in the supply chain management program. CC ID 08900
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)]
    Third Party and supply chain oversight Establish/Maintain Documentation
  • IT Impact Zone
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Preventive
    1958
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish, implement, and maintain a reporting methodology program. CC ID 02072
    [The governing body should: set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; § 4.3.2 ¶ 2 c)
    The governing body should: determine the most appropriate reporting methodologies for the organization, given the expectations of its relevant stakeholders; § 6.5.3.2 ¶ 2 Bullet 1
    The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: reporting is coherent so that stakeholders can effectively assess the organization's governance arrangements (see 6.5.3). § 6.6.3 ¶ 3 f)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: report on historic actions and outcomes, as well as future intentions. § 6.5.3.2 ¶ 1 h)
    {be complete}{be understandable}{be responsive}{be accurate}{be timely}The governing body should: ensure that reported information and disclosed information are material, complete, understandable, responsive, accurate, balanced and timely; § 6.5.3.2 ¶ 2 Bullet 2]
    Leadership and high level objectives Business Processes
    Establish, implement, and maintain communication protocols. CC ID 12245
    [The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: an open and transparent communication culture within the organization is created and maintained to help bridge the gap between diverse stakeholder groups and varying perspectives based on, for example, gender, age, belief systems or cognitive abilities; § 6.6.3 ¶ 3 e)
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5]
    Leadership and high level objectives Establish/Maintain Documentation
    Use secure communication protocols for telecommunications. CC ID 16458 Leadership and high level objectives Business Processes
    Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419
    [{be within}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: are transparent but also within the limits of confidentiality; § 6.5.3.2 ¶ 1 f)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include external requirements in the organization's communication protocol. CC ID 12418 Leadership and high level objectives Establish/Maintain Documentation
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Leadership and high level objectives Communicate
    Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417
    [When defining the organizational values, the governing body should ensure that: all relevant stakeholders are engaged; § 6.1.3.3 ¶ 1 a)
    For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Improvements should be applied as the result of feedback from reporting, disclosure and dialogue activities. § 6.5.3.2 ¶ 3
    The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. § 6.6.1 ¶ 1
    The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    {stakeholder engagement process}To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); § 6.10.3 ¶ 1 a)
    To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when establishing and reviewing governance policies; § 6.10.3 ¶ 1 e)
    The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. Table 1 Column 4 Row 7
    {be responsible}{be accurate}The governing body should ensure that the organizational risk framework, in respect to the management of risk: mandates that relevant stakeholders are engaged responsibly and accurately, and considers the organization's positive and negative risk impacts on them (see 6.6). § 6.9.3.2 ¶ 2 h)
    The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: relevant stakeholders are engaged in achieving the organizational purpose via its organizational strategy; § 6.6.3 ¶ 3 a)
    To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; § 6.10.3 ¶ 1 d)
    {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 Leadership and high level objectives Process or Activity
    Identify barriers to stakeholder engagement. CC ID 15676 Leadership and high level objectives Process or Activity
    Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 Leadership and high level objectives Communicate
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Leadership and high level objectives Communicate
    Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 Leadership and high level objectives Process or Activity
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Leadership and high level objectives Communicate
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Leadership and high level objectives Communicate
    Route notifications, as necessary. CC ID 12832 Leadership and high level objectives Process or Activity
    Substantiate notifications, as necessary. CC ID 12831 Leadership and high level objectives Process or Activity
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Leadership and high level objectives Business Processes
    Prioritize notifications, as necessary. CC ID 12830 Leadership and high level objectives Process or Activity
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797
    [{be appropriate}When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: outputs, outcomes and the processes to achieve the responsibilities are periodically reported and presented with evidence that actions taken are reasonable and appropriate; § 4.2.2 ¶ 2 d)
    The governing body should: report on the process and outcomes of assessments to relevant stakeholders (see 6.5.3). § 4.3.2 ¶ 2 e)
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: accountability through accurate and timely reporting on its performance and stewardship of resources; § 5 ¶ 2 c) 2)
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: accountability through accurate and timely reporting on its performance and stewardship of resources; § 5 ¶ 2 c) 2)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: § 6.5.3.2 ¶ 1 c)
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Leadership and high level objectives Actionable Reports or Measurements
    Disseminate and communicate internal controls with supply chain members. CC ID 12416 Leadership and high level objectives Communicate
    Establish and maintain the organization's survey method. CC ID 12869 Leadership and high level objectives Process or Activity
    Document the findings from surveys. CC ID 16309 Leadership and high level objectives Establish/Maintain Documentation
    Provide a consolidated view of information in the organization's survey method. CC ID 12894 Leadership and high level objectives Process or Activity
    Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 Leadership and high level objectives Establish/Maintain Documentation
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Leadership and high level objectives Monitor and Evaluate Occurrences
    Establish, implement, and maintain an internal reporting program. CC ID 12409
    [{individual}To exercise effective oversight, the governing body should: require those to whom they have delegated to provide timely and accurate reports on all material aspects of the management of the organization; § 6.4.3.1 ¶ 1 a)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Leadership and high level objectives Business Processes
    Include transactions and events as a part of internal reporting. CC ID 12413 Leadership and high level objectives Business Processes
    Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: the fulfilment of its responsibilities, including the consequences of not fulfilling its obligations; § 6.5.3.2 ¶ 1 b) 2)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the way in which the organization's performance was achieved and whether this performance was reasonable given the organization's changing context governance policies, including organizational values; § 6.5.3.2 ¶ 1 c) 2)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g)
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)]
    Leadership and high level objectives Communicate
    Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 Leadership and high level objectives Establish/Maintain Documentation
    Define the thresholds for escalation in the internal reporting program. CC ID 14332 Leadership and high level objectives Establish/Maintain Documentation
    Define the thresholds for reporting in the internal reporting program. CC ID 14331 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain an external reporting program. CC ID 12876 Leadership and high level objectives Communicate
    Provide identifying information about the organization to the responsible party. CC ID 16715 Leadership and high level objectives Communicate
    Identify the material topics required to be reported on. CC ID 15654 Leadership and high level objectives Business Processes
    Check the list of material topics for completeness. CC ID 15692 Leadership and high level objectives Investigate
    Prioritize material topics used in reporting. CC ID 15678 Leadership and high level objectives Communicate
    Review and approve the material topics, as necessary. CC ID 15670 Leadership and high level objectives Process or Activity
    Define the thresholds for reporting in the external reporting program. CC ID 15679 Leadership and high level objectives Establish/Maintain Documentation
    Include time requirements in the external reporting program. CC ID 16566 Leadership and high level objectives Communicate
    Include information about the organizational culture in the external reporting program. CC ID 15610
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the organizational culture, including the organizational behaviour and perceptions of the organization's behaviour provided by relevant stakeholders; § 6.5.3.2 ¶ 1 c) 5)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include reporting to governing bodies in the external reporting plan. CC ID 12923 Leadership and high level objectives Communicate
    Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 Leadership and high level objectives Communicate
    Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 Leadership and high level objectives Establish/Maintain Documentation
    Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 Leadership and high level objectives Establish/Maintain Documentation
    Include the information that was omitted in the confidential treatment application. CC ID 16593 Leadership and high level objectives Establish/Maintain Documentation
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: characteristics of the organization such as organizational type, structure, size, interdependencies, complexity, culture and its expected future progression; § 5 ¶ 5 Bullet 4
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b)]
    Leadership and high level objectives Monitor and Evaluate Occurrences
    Develop instructions for setting organizational objectives and strategies. CC ID 12931 Leadership and high level objectives Establish/Maintain Documentation
    Analyze the business environment in which the organization operates. CC ID 12798
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: § 5 ¶ 5
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; § 6.1.3.2 ¶ 1 a)
    Take steps to become appropriately informed of all aspects of the organization and the context within which it operates (such as legal, natural environment, social, economic, technical and personnel). Table 2 Column 2 Row 3 Bullet 1]
    Leadership and high level objectives Business Processes
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Leadership and high level objectives Process or Activity
    Include key processes in the analysis of the internal business environment. CC ID 12947 Leadership and high level objectives Process or Activity
    Include existing information in the analysis of the internal business environment. CC ID 12943 Leadership and high level objectives Process or Activity
    Include resources in the analysis of the internal business environment. CC ID 12942
    [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's need for, and access to, resources, including financial resources; § 6.3.3.1.1 ¶ 2 f)]
    Leadership and high level objectives Process or Activity
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Leadership and high level objectives Process or Activity
    Include incentives in the analysis of the internal business environment. CC ID 12940 Leadership and high level objectives Process or Activity
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Leadership and high level objectives Process or Activity
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: value generation model and organizational strategy; § 5 ¶ 5 Bullet 5]
    Leadership and high level objectives Process or Activity
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936
    [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: organizational capabilities and opportunities. § 6.1.3.2 ¶ 1 e)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)]
    Leadership and high level objectives Process or Activity
    Align assets with business functions and the business environment. CC ID 13681 Leadership and high level objectives Business Processes
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Leadership and high level objectives Communicate
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Leadership and high level objectives Monitor and Evaluate Occurrences
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)]
    Leadership and high level objectives Monitor and Evaluate Occurrences
    Analyze the external environment in which the organization operates. CC ID 12799
    [Responsible stewardship — The organization: considers the global context; § 5 ¶ 2 b) 3)
    {social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e)]
    Leadership and high level objectives Business Processes
    Identify the external forces that may affect organizational objectives. CC ID 12960
    [The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the relevant external systems on which the organization depends; § 6.11.3.3 ¶ 1 a)]
    Leadership and high level objectives Process or Activity
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include environmental requirements in the analysis of the external environment. CC ID 12965
    [While not defined as stakeholders, the natural environment and society as a whole should also be considered by the governing body in its decision-making because they affect or will be affected by the organization's activities. § 4.2.5 ¶ 2
    {legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Business Processes
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: § 6.9.3.2 ¶ 2 d)]
    Leadership and high level objectives Monitor and Evaluate Occurrences
    Include regulatory requirements in the analysis of the external environment. CC ID 12964
    [{legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Business Processes
    Include society in the analysis of the external environment. CC ID 12963
    [While not defined as stakeholders, the natural environment and society as a whole should also be considered by the governing body in its decision-making because they affect or will be affected by the organization's activities. § 4.2.5 ¶ 2
    {legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Business Processes
    Include opportunities in the analysis of the external environment. CC ID 12954 Leadership and high level objectives Business Processes
    Include third party relationships in the analysis of the external environment. CC ID 12952 Leadership and high level objectives Business Processes
    Include industry forces in the analysis of the external environment. CC ID 12904
    [{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's strengths, weaknesses, competitive positioning and operational resilience; § 6.3.3.1.1 ¶ 2 i)]
    Leadership and high level objectives Business Processes
    Include threats in the analysis of the external environment. CC ID 12898
    [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: important issues including global threats that evolve over time (e.g. climate change); § 6.1.3.2 ¶ 1 c)]
    Leadership and high level objectives Business Processes
    Include geopolitics in the analysis of the external environment. CC ID 12897 Leadership and high level objectives Business Processes
    Include legal requirements in the analysis of the external environment. CC ID 12896 Leadership and high level objectives Business Processes
    Include technology in the analysis of the external environment. CC ID 12837
    [{social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Business Processes
    Include analyzing the market in the analysis of the external environment. CC ID 12836
    [{legal and regulatory context}{social context}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: legal, regulatory, natural environment, social and economic context; § 5 ¶ 5 Bullet 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Business Processes
    Conduct a context analysis to define objectives and strategies. CC ID 12864
    [Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to follow, including the parameters within which the organization is to do so. These expectations should be set mindfully and intentionally, considering the context within which the organization operates. § 6.7.3.1 ¶ 1
    {internal context} When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: § 6.3.3.1.1 ¶ 2
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Business Processes
    Establish, implement, and maintain organizational objectives. CC ID 09959
    [Leadership styles can differ, but they all involve the setting of expectations which others follow. Since the governing body is accountable for the whole organization, including its behaviour, decisions and activities, the governing body should set those expectations it requires the organization to follow, including the parameters within which the organization is to do so. These expectations should be set mindfully and intentionally, considering the context within which the organization operates. § 6.7.3.1 ¶ 1
    Within the organization: The organization should fulfil the expectations set by the governing body. § 6.7.3.2 ¶ 1 b)
    {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1
    The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. § 6.3.3.1.1 ¶ 1
    Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)]
    Leadership and high level objectives Establish/Maintain Documentation
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Leadership and high level objectives Process or Activity
    Identify events that may affect organizational objectives. CC ID 12961 Leadership and high level objectives Process or Activity
    Identify conditions that may affect organizational objectives. CC ID 12958
    [{external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: intended strategic outcomes; § 6.9.3.2 ¶ 2 d) 6)]
    Leadership and high level objectives Process or Activity
    Identify requirements that could affect achieving organizational objectives. CC ID 12828
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: commitments and obligations associated with organizational activities and value generation processes; § 5 ¶ 5 Bullet 6]
    Leadership and high level objectives Business Processes
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826
    [New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: valuable opportunities are leveraged; § 6.8.3.4 ¶ 1 Bullet 2
    To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that issues and opportunities affecting stakeholder expectations are identified and articulated (see 6.9); § 6.10.3 ¶ 1 b)
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: organizational capabilities and opportunities. § 6.1.3.2 ¶ 1 e)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: potential opportunities for innovation. § 6.3.3.1.1 ¶ 2 k)
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: § 6.1.3.2 ¶ 1
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: important issues including global threats that evolve over time (e.g. climate change); § 6.1.3.2 ¶ 1 c)]
    Leadership and high level objectives Business Processes
    Prioritize organizational objectives. CC ID 09960
    [{social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1]
    Leadership and high level objectives Business Processes
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Leadership and high level objectives Business Processes
    Establish, implement, and maintain a value generation model. CC ID 15591
    [When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: value generation model and organizational strategy; § 5 ¶ 5 Bullet 5
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the value generation model; § 6.9.3.2 ¶ 2 d) 5)
    The governing body should ensure that an overarching value generation model is determined for the organization and is appropriately communicated. § 6.2.3.1 ¶ 1
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a)
    Therefore, the governing body should: ensure that interactions and dependencies within the organization's value generation model are articulated in an integrated manner; § 6.11.3.1 ¶ 2 a)
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3
    The governing body should ensure that the organization's value generation model (see 6.2): describes how the organization's key structures, processes, relationships, information, decision-making, reporting and other aspects inter-relate and are used to generate value over time. § 6.11.3.2 ¶ 1 b)]
    Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607
    [The governing body should ensure that an overarching value generation model is determined for the organization and is appropriately communicated. § 6.2.3.1 ¶ 1
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)]
    Leadership and high level objectives Communicate
    Include value distribution in the value generation model. CC ID 15603
    [{procedure}This value generation model should clarify: how the value generated is to be retained and distributed (sustain). § 6.2.3.1 ¶ 2 Bullet 4
    {be viable} The governing body should ensure that value is retained and distributed in a manner that ensures that the organization is agile, viable over time and achieves its value generation objectives. § 6.2.3.5 ¶ 1
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Include value retention in the value generation model. CC ID 15600
    [{procedure}This value generation model should clarify: how the value generated is to be retained and distributed (sustain). § 6.2.3.1 ¶ 2 Bullet 4
    {be viable} The governing body should ensure that value is retained and distributed in a manner that ensures that the organization is agile, viable over time and achieves its value generation objectives. § 6.2.3.5 ¶ 1
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Include value generation procedures in the value generation model. CC ID 15599
    [{procedure}This value generation model should clarify: how the organization should generate that value (create); § 6.2.3.1 ¶ 2 Bullet 2
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    {procedure}This value generation model should clarify: how the generation of value will be assured (deliver); § 6.2.3.1 ¶ 2 Bullet 3]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain value generation objectives. CC ID 15583
    [Effective performance — The organization: generates value for stakeholders; § 5 ¶ 2 a) 3)
    {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1
    Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: determining the organization's approach to value generation; § 4.1 ¶ 3 b)
    {social context}{economic context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social, and economic context within which it operates. Table 1 Column 4 Row 3
    {social context}{economic context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. § 6.2.1 ¶ 1
    This value generation model should clarify: what value the organization is intending to generate (define); § 6.2.3.1 ¶ 2 Bullet 1
    {social context} The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifying relevant stakeholder groups and determining, prioritizing and formulating objectives which meet the expectations of these groups. § 6.2.3.2 ¶ 1
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: § 6.2.3.4 ¶ 1
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the defined value generation objectives; § 6.3.3.1.1 ¶ 2 d)
    The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so that the generation of value in the present context is balanced with the innovation required to generate value in the future. § 6.3.3.2.2 ¶ 1
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: assurance is obtained on the realization of the value generation objectives. § 6.2.3.4 ¶ 1 c)]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain social responsibility objectives. CC ID 15611
    [The governing body should ensure that the organization considers undertaking specific measures to contribute to the wellbeing of society. Philanthropy can have a positive impact on society. However, it should not be used by an organization as a substitute for integrating social responsibility into the organization (see ISO 26000:2010, 3.3.4). § 6.10.3 ¶ 3
    The governing body should ensure that the organization considers undertaking specific measures to contribute to the wellbeing of society. Philanthropy can have a positive impact on society. However, it should not be used by an organization as a substitute for integrating social responsibility into the organization (see ISO 26000:2010, 3.3.4). § 6.10.3 ¶ 3]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783
    [{be dynamic}{be sensitive}The governing body should ensure that: the organizational purpose remains dynamic and sensitive to the changing context within which the organization operates. § 6.1.3.2 ¶ 2 Bullet 4
    When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: organizational purpose and organizational values; § 5 ¶ 5 Bullet 1
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the organizational purpose; § 6.9.3.2 ¶ 2 d) 3)
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: the organizational values; § 6.9.3.2 ¶ 2 d) 4)
    Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: setting and committing to the organizational purpose and organizational values; § 4.1 ¶ 3 a)
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    Effective performance — The organization: is true to its purpose; § 5 ¶ 2 a) 1)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Leadership and high level objectives Establish/Maintain Documentation
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838
    [{member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1
    To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the organizational purpose expresses the organization's approach to stakeholders; § 6.10.3 ¶ 1 c)
    The governing body should ensure that: the essence of the organizational purpose is documented in a summary statement to promote effective communication and to assess and determine organization-wide actions and success; § 6.1.3.2 ¶ 2 Bullet 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: existing documentation relating to the organizational purpose and the scope of the organization's activities, such as constituting documents or other artefacts; § 6.1.3.2 ¶ 1 a)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organizational purpose, the application of the organizational values and the organization's value generation model; § 6.3.3.1.1 ¶ 2 a)
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Leadership and high level objectives Establish/Maintain Documentation
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807
    [Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b)
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590
    [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605
    [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586
    [The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. § 6.1.1 ¶ 1
    The governing body should ensure that the organization's reason for existence is clearly defined as an organizational purpose. This organizational purpose should define the organization's intentions towards the natural environment, society and the organization's stakeholders. The governing body should also ensure that an associated set of organizational values is clearly defined. Table 1 Column 4 Row 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585
    [The governing body should ensure that the organizational purpose and organizational values and their centrality are effectively communicated throughout the organization and are available to the organization's stakeholders. § 6.1.3.4 ¶ 2
    The governing body should ensure that: the organizational purpose is available to all stakeholders and reflected in the constituting documents where possible; § 6.1.3.2 ¶ 2 Bullet 2
    The governing body should ensure that the organizational purpose and organizational values are defined, communicated and embedded. § 6.1.3.1 ¶ 1
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)
    To ensure that the organization is acting in a socially responsible way, the governing body should: engage with all relevant stakeholders when determining and reviewing the organizational values and promote the organizational values to stakeholders; § 6.10.3 ¶ 1 d)]
    Leadership and high level objectives Communicate
    Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191
    [To ensure that the organization is acting in a socially responsible way, the governing body should: report the organization's social responsibility objectives clearly and transparently so that stakeholders can understand these objectives, how they are being met and what performance is being achieved against them, as well as provide the necessary evidence to support such claims; § 6.10.3 ¶ 1 h)]
    Leadership and high level objectives Communicate
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the organization's performance in fulfilling the organizational purpose; § 6.5.3.2 ¶ 1 c) 1)
    To ensure that the organization is acting in a socially responsible way, the governing body should: report the organization's social responsibility objectives clearly and transparently so that stakeholders can understand these objectives, how they are being met and what performance is being achieved against them, as well as provide the necessary evidence to support such claims; § 6.10.3 ¶ 1 h)
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the integrated view of the relationships between the organization's value generation model and the systems on which this depends (and which the organization also affects through its value generation); § 6.11.3.4 ¶ 2 a)
    The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. § 6.1.3.4 ¶ 1
    The governing body should ensure that the organization's value generation model (see 6.2): describes how the organization's key structures, processes, relationships, information, decision-making, reporting and other aspects inter-relate and are used to generate value over time. § 6.11.3.2 ¶ 1 b)
    Be open about decisions and activities that affect the natural environment, society and the economy, and be willing to communicate these in a clear, accurate, timely, honest and complete manner. Table 2 Column 2 Row 4 Bullet 1]
    Leadership and high level objectives Establish/Maintain Documentation
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Leadership and high level objectives Business Processes
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Leadership and high level objectives Process or Activity
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805
    [{social context}{internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the interdependence between the natural environment, social and economic context – the organization's material impact on the context and its material impact on the organization; § 6.3.3.1.1 ¶ 2 e)
    Therefore, the governing body should: ensure that the natural environmental, social and economic system relationships that underpin the organization's value generation model are identified and assessed; § 6.11.3.1 ¶ 2 b)]
    Leadership and high level objectives Process or Activity
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Leadership and high level objectives Business Processes
    Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584
    [When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. § 6.6.3 ¶ 2]
    Leadership and high level objectives Process or Activity
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [{member stakeholder}When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: expectations of relevant stakeholders, particularly member and reference stakeholders; § 5 ¶ 5 Bullet 3
    {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1
    {member stakeholder}{reference stakeholder}{be fair} The governing body should treat, and ensure that the organization treats, all stakeholders fairly and should consider the expectations of relevant stakeholders. The governing body should ensure that the organizational purpose (see 6.1) and the intended value to be generated (see 6.2) are defined through engagement with member, reference and other relevant stakeholders § 4.2.5 ¶ 1
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's identification of, and engagement with, relevant stakeholders (see 6.6); § 6.4.3.2 ¶ 1 e)
    The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. § 6.6.1 ¶ 1
    The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: § 6.6.3 ¶ 3
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that the wider organizational stakeholders are considered in the organization's use of information technology, particularly as it relates to human capital. § 6.8.3.4 ¶ 2 f)
    {external context}The governing body should ensure that the organizational risk framework, in respect to the management of risk: considers the impact of, changes to and dependencies on the external and internal context of the organization, including: stakeholders; § 6.9.3.2 ¶ 2 d) 1)
    {stakeholder engagement process}To ensure that the organization is acting in a socially responsible way, the governing body should: ensure that the expectations of stakeholders are clearly understood; this includes continually engaging relevant stakeholders through an engagement process and a highly developed approach to accountability (see 6.5); § 6.10.3 ¶ 1 a)
    The governing body should ensure that the organization's stakeholders are appropriately engaged and their expectations considered. Table 1 Column 4 Row 7
    {member stakeholder}{reference stakeholder}Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: member, reference and other relevant stakeholder expectations; § 6.1.3.2 ¶ 1 d)
    The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: relevant stakeholder expectations (see 6.6 and 6.10); § 6.11.3.1 ¶ 1 Bullet 1
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: relevant stakeholder expectations; § 6.3.3.1.1 ¶ 2 j)
    Effective performance — The organization: remains in alignment with its policies and relevant stakeholder expectations. § 5 ¶ 2 a) 4)
    Responsible stewardship — The organization: engenders the trust and confidence of the communities within which it operates, and beyond. § 5 ¶ 2 b) 5)
    A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: understanding and articulating the opposing perspectives; § 6.7.3.4 ¶ 2 b)
    {social issue} In determining the value generation model, the governing body should understand the context in which the organization operates over time, including stakeholder expectations, regulatory frameworks, technological change, and the present and potential future natural environment, social and economic issues. The governing body should also ensure that the organization's value generation model continues to be viable and responds to changing conditions. § 6.2.3.1 ¶ 3]
    Leadership and high level objectives Business Processes
    Establish, implement, and maintain data governance and management practices. CC ID 14998
    [The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. § 6.8.1 ¶ 1
    The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1
    The recognition that data can be a strategic asset (or liability) means that the governing body should: acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; § 6.8.3.3 ¶ 1 c)
    The recognition that data can be a strategic asset (or liability) means that the governing body should: understand the use, and potential use, of data by the organization and others (e.g. suppliers, customers, regulators and other relevant stakeholders as well as competitors and those who can misuse the data); § 6.8.3.3 ¶ 1 b)
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: § 6.8.3.4 ¶ 2
    The governing body should recognize data as a valuable resource for decision-making by the governing body, the organization and others. Table 1 Column 4 Row 9
    {be responsible}{be ethical} The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. § 6.8.3.1 ¶ 2
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); § 6.4.3.2 ¶ 1 h)
    The recognition that data can be a strategic asset (or liability) means that the governing body should: ensure that the organization establishes a formal approach to its management of data and, where necessary, assurance is provided (see 6.4.3); § 6.8.3.3 ¶ 1 a)]
    Leadership and high level objectives Establish/Maintain Documentation
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Leadership and high level objectives Establish/Maintain Documentation
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Leadership and high level objectives Establish/Maintain Documentation
    Include bias for data sets in the data governance and management practices. CC ID 15085 Leadership and high level objectives Establish/Maintain Documentation
    Include a data strategy in the data governance and management practices. CC ID 15304 Leadership and high level objectives Establish/Maintain Documentation
    Include data monitoring in the data governance and management practices. CC ID 15303
    [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the adoption of a system to ensure the rights, obligations and constraints of data sets are understood and tracked, e.g. privacy and intellectual property right obligations; § 6.8.3.4 ¶ 2 a)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the adoption of a system to ensure the rights, obligations and constraints of data sets are understood and tracked, e.g. privacy and intellectual property right obligations; § 6.8.3.4 ¶ 2 a)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Leadership and high level objectives Establish/Maintain Documentation
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Leadership and high level objectives Establish/Maintain Documentation
    Include data preparations for data sets in the data governance and management practices. CC ID 15081
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain an information classification standard. CC ID 00601 Leadership and high level objectives Establish/Maintain Documentation
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Leadership and high level objectives Data and Information Management
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Leadership and high level objectives Data and Information Management
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Leadership and high level objectives Data and Information Management
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Leadership and high level objectives Data and Information Management
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Leadership and high level objectives Data and Information Management
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Leadership and high level objectives Data and Information Management
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Leadership and high level objectives Data and Information Management
    Classify the value of information in the information classification standard. CC ID 11995 Leadership and high level objectives Data and Information Management
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Leadership and high level objectives Data and Information Management
    Establish, implement, and maintain a data classification scheme. CC ID 11628 Leadership and high level objectives Establish/Maintain Documentation
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Leadership and high level objectives Data and Information Management
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Leadership and high level objectives Communicate
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Leadership and high level objectives Establish/Maintain Documentation
    Refrain from including metadata in the data dictionary. CC ID 13529 Leadership and high level objectives Establish/Maintain Documentation
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Leadership and high level objectives Establish/Maintain Documentation
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Leadership and high level objectives Establish/Maintain Documentation
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Leadership and high level objectives Establish/Maintain Documentation
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Leadership and high level objectives Establish/Maintain Documentation
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Leadership and high level objectives Establish/Maintain Documentation
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Leadership and high level objectives Establish/Maintain Documentation
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Leadership and high level objectives Establish/Maintain Documentation
    Include the precision of the measurement in the data dictionary. CC ID 13520 Leadership and high level objectives Establish/Maintain Documentation
    Include the data source in the data dictionary. CC ID 13519 Leadership and high level objectives Establish/Maintain Documentation
    Include the nature of each element in the data dictionary. CC ID 13518 Leadership and high level objectives Establish/Maintain Documentation
    Include the population of events or instances in the data dictionary. CC ID 13517 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Leadership and high level objectives Communicate
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603
    [Responsible stewardship — The organization: ensures its contribution to sustainable development; § 5 ¶ 2 b) 4)
    {be viable} The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. Table 1 Column 4 Row 12
    {be viable} The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. § 6.11.1 ¶ 1
    The aim of governance, and the duty of the governing body, is to create the conditions for, and to enable, the organization to perform over time, such that it fulfils its organizational purpose and generates value as intended. An organization can be said to be contributing to sustainable development, and to be sustainable, when it generates value in a manner that meets the needs of the present without compromising the ability of future generations to meet their own needs. By aligning an organization's governance with sustainable development, e.g. via the UN SDGs, governing bodies help create the conditions for an organization's future success. As a result, governing bodies should ensure that sustainable development and sustainability are fundamental considerations when governing and applying the governance principles in this document. § 4.2.4 ¶ 1]
    Leadership and high level objectives Establish/Maintain Documentation
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Leadership and high level objectives Behavior
    Establish, implement, and maintain an organizational structure. CC ID 16310 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Leadership and high level objectives Communicate
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Leadership and high level objectives Establish/Maintain Documentation
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Leadership and high level objectives Establish/Maintain Documentation
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Leadership and high level objectives Establish/Maintain Documentation
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Leadership and high level objectives Establish/Maintain Documentation
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Leadership and high level objectives Establish/Maintain Documentation
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Leadership and high level objectives Communicate
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Leadership and high level objectives Communicate
    Align the quality objectives with the Quality Management policy. CC ID 13697 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management standard. CC ID 01006 Leadership and high level objectives Establish/Maintain Documentation
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management program. CC ID 07201 Leadership and high level objectives Establish/Maintain Documentation
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Leadership and high level objectives Communicate
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Leadership and high level objectives Communicate
    Include quality objectives in the Quality Management program. CC ID 13693 Leadership and high level objectives Establish/Maintain Documentation
    Include records management in the quality management system. CC ID 15055 Leadership and high level objectives Establish/Maintain Documentation
    Include risk management in the quality management system. CC ID 15054 Leadership and high level objectives Establish/Maintain Documentation
    Include data management procedures in the quality management system. CC ID 15052 Leadership and high level objectives Establish/Maintain Documentation
    Include a post-market monitoring system in the quality management system. CC ID 15027 Leadership and high level objectives Establish/Maintain Documentation
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Leadership and high level objectives Establish/Maintain Documentation
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Leadership and high level objectives Systems Design, Build, and Implementation
    Include resource management in the quality management system. CC ID 15026
    [The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: § 6.2.3.1 ¶ 4
    The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: recognizes and optimizes the interaction between the required resources. § 6.2.3.3 ¶ 1 c)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; § 6.4.3.2 ¶ 1 g)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include communication protocols in the quality management system. CC ID 15025 Leadership and high level objectives Establish/Maintain Documentation
    Include incident reporting procedures in the quality management system. CC ID 15023 Leadership and high level objectives Establish/Maintain Documentation
    Include technical specifications in the quality management system. CC ID 15021 Leadership and high level objectives Establish/Maintain Documentation
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 Leadership and high level objectives Establish/Maintain Documentation
    Include program documentation standards in the Quality Management program. CC ID 01016 Leadership and high level objectives Establish/Maintain Documentation
    Include program testing standards in the Quality Management program. CC ID 01017 Leadership and high level objectives Establish/Maintain Documentation
    Include system testing standards in the Quality Management program. CC ID 01018 Leadership and high level objectives Establish/Maintain Documentation
    Include an issue tracking system in the Quality Management program. CC ID 06824 Leadership and high level objectives Systems Design, Build, and Implementation
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Leadership and high level objectives Establish/Maintain Documentation
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688
    [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1
    The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: identification of all resources involved in the model; § 6.2.3.1 ¶ 4 a)
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the relevant external systems on which the organization depends; § 6.11.3.3 ¶ 1 a)]
    Leadership and high level objectives Business Processes
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Leadership and high level objectives Establish/Maintain Documentation
    Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)]
    Leadership and high level objectives Business Processes
    Establish and maintain an Authority Document list. CC ID 07113 Leadership and high level objectives Establish/Maintain Documentation
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623
    [Ethical and effective leadership should be demonstrated in three areas: the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. § 6.7.3.1 ¶ 4 c)
    {human right}The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: human and labour rights in all countries of operation are respected; § 6.6.3 ¶ 3 d)
    Within the organization's external context: Where the organization has set contextual expectations, such as commitments to stakeholders and the natural environment, the organization should fulfil these expectations as set. § 6.7.3.2 ¶ 1 c)
    {external system}The governing body should ensure that the organization's value generation model identifies and assesses (see 6.2): the inter-relationships between the organization and these systems; § 6.11.3.3 ¶ 1 b)]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901
    [Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: on the way it has implemented the key aspects of practices in this document and any other practices used to apply the principles; § 5 ¶ 7 Bullet 1]
    Leadership and high level objectives Communicate
    Approve all compliance documents. CC ID 06286
    [{individual}The governing body should engage with strategic planning by: reviewing, assessing and approving the plans developed by those to whom they have delegated; § 6.3.3.2.1 ¶ 1 c)]
    Leadership and high level objectives Establish/Maintain Documentation
    Align the Authority Document list with external requirements. CC ID 06288
    [The governing body should ensure that: the organizational purpose is available to all stakeholders and reflected in the constituting documents where possible; § 6.1.3.2 ¶ 2 Bullet 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Leadership and high level objectives Establish Roles
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Leadership and high level objectives Establish/Maintain Documentation
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Leadership and high level objectives Establish/Maintain Documentation
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Leadership and high level objectives Establish/Maintain Documentation
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Leadership and high level objectives Business Processes
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Leadership and high level objectives Establish/Maintain Documentation
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Leadership and high level objectives Establish Roles
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Leadership and high level objectives Establish/Maintain Documentation
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Leadership and high level objectives Establish Roles
    Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 Leadership and high level objectives Establish/Maintain Documentation
    Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 Leadership and high level objectives Establish Roles
    Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 Leadership and high level objectives Establish Roles
    Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 Leadership and high level objectives Establish Roles
    Involve the Board of Directors or senior management in Information Governance. CC ID 00609 Leadership and high level objectives Establish Roles
    Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 Leadership and high level objectives Human Resources Management
    Address Information Security during the business planning processes. CC ID 06495 Leadership and high level objectives Data and Information Management
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Leadership and high level objectives Establish/Maintain Documentation
    Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 Leadership and high level objectives Establish Roles
    Establish, implement, and maintain a strategic plan. CC ID 12784
    [Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: directing and engaging with strategy to generate value; § 4.1 ¶ 3 c)
    The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. Table 1 Column 4 Row 4
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    The governing body should direct and engage with the organizational strategy, in accordance with the value generation model, to fulfil the organizational purpose. § 6.3.1 ¶ 1
    {individual}The governing body should engage with strategic planning by: reviewing, assessing and approving the plans developed by those to whom they have delegated; § 6.3.3.2.1 ¶ 1 c)
    The governing body should engage with strategic planning by: overseeing (see 6.4) the implementation of these plans and ensuring that they meet the agreed strategic outcomes. § 6.3.3.2.1 ¶ 1 d)
    The governing body should actively and dynamically steer the implementation of the organizational strategy, within the defined governance policies, including organizational values, and changing risk context, to fulfil the organizational purpose. The governing body should also steer the strategy so that the generation of value in the present context is balanced with the innovation required to generate value in the future. § 6.3.3.2.2 ¶ 1
    The governing body should steer the organizational strategy by means of: § 6.3.3.2.2 ¶ 2
    Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4
    The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)]
    Leadership and high level objectives Establish/Maintain Documentation
    Determine progress toward the objectives of the strategic plan. CC ID 12944
    [The governing body should: develop, and competently use, appropriate criteria for measurement that will indicate progress towards the fulfilment of the organizational purpose, within the set parameters, via the organizational strategy; § 4.3.2 ¶ 2 b)
    Ethical and effective leadership is demonstrated when the governing body: ensures that the organization is, and is seen to be, following the expectations as set. § 6.7.3.1 ¶ 3 Bullet 3
    The outcomes, whether positive or negative, are determined by the expectations which have been set. Leadership determines whether these expectations are fulfilled. § 6.7.3.2 ¶ 2
    The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the envisaged time scales of the strategic outcomes and of the organizational strategy; § 6.3.3.1.1 ¶ 2 b)]
    Leadership and high level objectives Process or Activity
    Include acting with integrity in the strategic plan. CC ID 12870
    [At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in this document. § 4.3.1 ¶ 3]
    Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)]
    Leadership and high level objectives Communicate
    Include the outsource partners in the strategic plan, as necessary. CC ID 13960 Leadership and high level objectives Establish/Maintain Documentation
    Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a planning policy. CC ID 14673 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain planning procedures. CC ID 14698 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 Leadership and high level objectives Communicate
    Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 Leadership and high level objectives Communicate
    Include compliance requirements in the planning policy. CC ID 14688 Leadership and high level objectives Establish/Maintain Documentation
    Include coordination amongst entities in the planning policy. CC ID 14687 Leadership and high level objectives Establish/Maintain Documentation
    Include management commitment in the planning policy. CC ID 14686 Leadership and high level objectives Establish/Maintain Documentation
    Include roles and responsibilities in the planning policy. CC ID 14685 Leadership and high level objectives Establish/Maintain Documentation
    Include the scope in the planning policy. CC ID 14684 Leadership and high level objectives Establish/Maintain Documentation
    Include the purpose in the planning policy. CC ID 14683 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a security planning policy. CC ID 14027 Leadership and high level objectives Establish/Maintain Documentation
    Include compliance requirements in the security planning policy. CC ID 14131 Leadership and high level objectives Establish/Maintain Documentation
    Include coordination amongst entities in the security planning policy. CC ID 14130 Leadership and high level objectives Establish/Maintain Documentation
    Include management commitment in the security planning policy. CC ID 14129 Leadership and high level objectives Establish/Maintain Documentation
    Include roles and responsibilities in the security planning policy. CC ID 14128 Leadership and high level objectives Establish/Maintain Documentation
    Include the scope in the security planning policy. CC ID 14127 Leadership and high level objectives Establish/Maintain Documentation
    Include the purpose in the security planning policy. CC ID 14126 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 Leadership and high level objectives Communicate
    Establish, implement, and maintain security planning procedures. CC ID 14060 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 Leadership and high level objectives Communicate
    Establish, implement, and maintain a decision management strategy. CC ID 06913
    [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: § 6.8.3.2.1 ¶ 1
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b)
    The governing body should ensure that decisions are transparent and aligned with broader societal expectations. Table 1 Column 4 Row 11
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: competence and probity in the manner in which it makes decisions. § 5 ¶ 2 c) 5)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: maintain an appropriate balance between guiding discussions to a decision and ensuring that every member has the opportunity to express their independent assessment; § 6.8.3.2.1 ¶ 1 a)
    Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. Table 2 Column 2 Row 3 Bullet 2
    The governing body should ensure that decisions are transparent and aligned with broader societal expectations. § 6.10.1 ¶ 1
    The governing body should ensure that the organization's value generation model (see 6.2): identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustained value for relevant stakeholders; § 6.11.3.2 ¶ 1 a)
    The governing body should steer the organizational strategy by means of: reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; § 6.3.3.2.2 ¶ 2 e)
    The governing body should steer the organizational strategy by means of: decision-making, specifically, the strategic deployment of resources. § 6.3.3.2.2 ¶ 2 j)
    A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: reconciling the perspectives, considering how each position can support the other; § 6.7.3.4 ¶ 2 d)
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1
    Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4
    The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)]
    Leadership and high level objectives Establish/Maintain Documentation
    Align the reporting methodology with the decision management strategy. CC ID 15659 Leadership and high level objectives Business Processes
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Leadership and high level objectives Establish/Maintain Documentation
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Leadership and high level objectives Establish/Maintain Documentation
    Include criteria for compliance in the decision-making criteria. CC ID 12951 Leadership and high level objectives Establish/Maintain Documentation
    Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 Leadership and high level objectives Establish/Maintain Documentation
    Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include criteria for setting priorities in the decision-making criteria. CC ID 12938
    [A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: identifying the advantages and disadvantages of each; § 6.7.3.4 ¶ 2 c)]
    Leadership and high level objectives Establish/Maintain Documentation
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847
    [To ensure that the organization is acting in a socially responsible way, the governing body should: steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); § 6.10.3 ¶ 1 f)
    When applying the governance principles and deciding how to appropriately implement the practices, the governing body should take into consideration the unique and dynamic nature of the organization and its context, including the following: functional requirements of the organizational governance framework. § 5 ¶ 5 Bullet 7
    The governing body should ensure that: the organizational purpose is core to its governance practices, deliberations and decision-making; § 6.1.3.2 ¶ 2 Bullet 3
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    Ensure that diversity and inclusion are understood and incorporated into all organizational decision-making by including factors such as gender, age, ethnicity, sexual orientation, education, perspectives, nationality, disability and beliefs. Table 2 Column 2 Row 5 Bullet 1
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; § 6.9.3.4 ¶ 1 g)]
    Leadership and high level objectives Process or Activity
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843
    [Ethical and effective leadership is demonstrated when the governing body: sets expectations for the organization using robust decision-making processes (see 6.8.3); § 6.7.3.1 ¶ 3 Bullet 1
    Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. § 6.1.3.4 ¶ 3]
    Leadership and high level objectives Process or Activity
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 Leadership and high level objectives Process or Activity
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 Leadership and high level objectives Process or Activity
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: § 6.8.3.2.1 ¶ 1
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h)
    The governing body should steer the organizational strategy by means of: reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; § 6.3.3.2.2 ¶ 2 e)]
    Leadership and high level objectives Behavior
    Take actions in accordance with the decision-making criteria. CC ID 12909
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. § 6.8.3.2.1 ¶ 1 h)
    A process of reconciliation between seemingly opposed dimensions leads to more informed and robust decisions. Reconciling dilemmas requires a deliberate approach that includes: mapping an associated action plan. § 6.7.3.4 ¶ 2 e)]
    Leadership and high level objectives Process or Activity
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that there is commitment to support the collective decision, to clearly record it and to act on it; § 6.8.3.2.1 ¶ 1 b)
    When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: expected outcomes are negotiated, specified and agreed; § 4.2.2 ¶ 2 a)]
    Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991
    [Be open about decisions and activities that affect the natural environment, society and the economy, and be willing to communicate these in a clear, accurate, timely, honest and complete manner. Table 2 Column 2 Row 4 Bullet 1]
    Leadership and high level objectives Communicate
    Establish, implement, and maintain an information technology process framework. CC ID 13648 Leadership and high level objectives Establish/Maintain Documentation
    Include maturity models in the Information Technology process framework. CC ID 13652 Leadership and high level objectives Establish/Maintain Documentation
    Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 Leadership and high level objectives Establish/Maintain Documentation
    Include Information Technology process structures in the Information Technology process framework. CC ID 13650 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a tactical plan. CC ID 12785
    [The governing body should provide the organization with an understanding of its intentions by setting clear strategic outcomes and guidance on the organizational strategy to achieve these outcomes, which it has determined will fulfil the organizational purpose and value generation objectives. § 6.3.3.1.1 ¶ 1]
    Leadership and high level objectives Establish/Maintain Documentation
    Include acting with integrity in the tactical plan. CC ID 12871 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: § 6.8.3.4 ¶ 2
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; § 6.8.3.4 ¶ 2 d)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053
    [The recognition that data can be a strategic asset (or liability) means that the governing body should: acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; § 6.8.3.3 ¶ 1 c)
    The recognition that data can be a strategic asset (or liability) means that the governing body should: ensure that the information requirements of the organization are sufficiently supported by its current and future technology capabilities; § 6.8.3.3 ¶ 1 d)]
    Leadership and high level objectives Establish/Maintain Documentation
    Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 Leadership and high level objectives Human Resources Management
    Include the transparency goals in the Information Governance Plan. CC ID 10056 Leadership and high level objectives Establish/Maintain Documentation
    Include the information integrity goals in the Information Governance Plan. CC ID 10057
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: give confidence in the integrity of the information used, e.g. describing assurance processes applied (see 6.4); § 6.5.3.2 ¶ 1 e)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Leadership and high level objectives Establish/Maintain Documentation
    Align business continuity objectives with the business continuity policy. CC ID 12408 Leadership and high level objectives Establish/Maintain Documentation
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)]
    Leadership and high level objectives Business Processes
    Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 Leadership and high level objectives Establish/Maintain Documentation
    Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 Leadership and high level objectives Establish/Maintain Documentation
    Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 Leadership and high level objectives Establish/Maintain Documentation
    Document the business case and return on investment in each Information Technology project plan. CC ID 06846 Leadership and high level objectives Establish/Maintain Documentation
    Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 Leadership and high level objectives Business Processes
    Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 Leadership and high level objectives Establish/Maintain Documentation
    Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 Leadership and high level objectives Establish/Maintain Documentation
    Assign senior management to approve business cases. CC ID 13068 Leadership and high level objectives Human Resources Management
    Include milestones for each project phase in the Information Technology project plan. CC ID 12621 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 Leadership and high level objectives Establish/Maintain Documentation
    Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 Leadership and high level objectives Establish/Maintain Documentation
    Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 Leadership and high level objectives Establish/Maintain Documentation
    Include a search plan in the counterterror protective security plan. CC ID 06865 Leadership and high level objectives Establish/Maintain Documentation
    Include an evacuation plan in the counterterror protective security plan. CC ID 06940 Leadership and high level objectives Establish/Maintain Documentation
    Include a continuity plan in the counterterror protective security plan. CC ID 07031 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 Leadership and high level objectives Actionable Reports or Measurements
    Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 Leadership and high level objectives Actionable Reports or Measurements
    Include significant security risks in the Information Technology Plan status reports. CC ID 06939 Leadership and high level objectives Actionable Reports or Measurements
    Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 Leadership and high level objectives Actionable Reports or Measurements
    Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094 Leadership and high level objectives Human Resources Management
    Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492
    [Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving governance environment. § 4.3.2 ¶ 1
    {individual}The governing body should steer the organizational strategy by means of: monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; § 6.3.3.2.2 ¶ 2 g)]
    Leadership and high level objectives Business Processes
    Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 Leadership and high level objectives Behavior
    Establish, implement, and maintain a financial management program. CC ID 13228
    [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b)
    {be financially sound}The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's financial results and financial resources, ensuring that the organization remains financially sound; § 6.4.3.2 ¶ 1 f)]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain funds transfer procedures. CC ID 16754 Leadership and high level objectives Establish/Maintain Documentation
    Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 Leadership and high level objectives Communicate
    Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 Leadership and high level objectives Business Processes
    Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 Leadership and high level objectives Business Processes
    Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 Leadership and high level objectives Business Processes
    Attach the required information to each funds transfer. CC ID 16756 Leadership and high level objectives Business Processes
    Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 Leadership and high level objectives Business Processes
    Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 Leadership and high level objectives Testing
    Include communication protocols in the financial management program. CC ID 16763 Leadership and high level objectives Establish/Maintain Documentation
    Include ongoing monitoring in the financial management program. CC ID 16762 Leadership and high level objectives Process or Activity
    Employ tools to manage settlement and funding flows. CC ID 16743 Leadership and high level objectives Process or Activity
    Refrain from setting up anonymous financial accounts. CC ID 16721 Leadership and high level objectives Business Processes
    Identify and maintain positions in financial accounts. CC ID 16751 Leadership and high level objectives Business Processes
    Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 Leadership and high level objectives Establish/Maintain Documentation
    Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 Leadership and high level objectives Process or Activity
    Establish, implement, and maintain financial resource management procedures. CC ID 16642 Leadership and high level objectives Establish/Maintain Documentation
    Document the rationale for the amount of financial resources being held. CC ID 16688 Leadership and high level objectives Establish/Maintain Documentation
    Supplement financial resources, as necessary. CC ID 16685 Leadership and high level objectives Business Processes
    Establish, implement, and maintain collateral procedures. CC ID 16653 Leadership and high level objectives Establish/Maintain Documentation
    Include the use of appropriate models in the collateral procedures. CC ID 16687 Leadership and high level objectives Establish/Maintain Documentation
    Define the collateral requirements in the collateral procedures. CC ID 16686 Leadership and high level objectives Establish/Maintain Documentation
    Test the collateral requirements for appropriateness. CC ID 16681 Leadership and high level objectives Testing
    Limit the types of assets accepted as collateral. CC ID 16602 Leadership and high level objectives Business Processes
    Avoid the use of concentrated holdings of assets. CC ID 16651 Leadership and high level objectives Business Processes
    Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 Leadership and high level objectives Testing
    Include stress scenarios in the stress test plan. CC ID 16659 Leadership and high level objectives Testing
    Perform stress testing in accordance with the stress test plan. CC ID 16652 Leadership and high level objectives Testing
    Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 Leadership and high level objectives Communicate
    Identify and document the financial resources available for use. CC ID 16643 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain credit loss procedures. CC ID 16683 Leadership and high level objectives Establish/Maintain Documentation
    Include the allocation of credit losses in the credit loss procedures. CC ID 16684 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a securities trading program. CC ID 16626 Leadership and high level objectives Business Processes
    Include fairness and equitability standards in the securities trading program. CC ID 16690 Leadership and high level objectives Establish/Maintain Documentation
    Include roles and responsibilities in the securities trading program. CC ID 16689 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a capital restoration plan. CC ID 16613 Leadership and high level objectives Establish/Maintain Documentation
    Include performance guarantees in the capital restoration plan. CC ID 16616 Leadership and high level objectives Establish/Maintain Documentation
    Include corrective actions taken in the capital restoration plan. CC ID 16612 Leadership and high level objectives Establish/Maintain Documentation
    Include required information in the capital restoration plan. CC ID 16609 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain valuation procedures. CC ID 16634 Leadership and high level objectives Establish/Maintain Documentation
    Include investment information in approval requests for investments. CC ID 16590 Leadership and high level objectives Business Processes
    Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain lending policies. CC ID 16608 Leadership and high level objectives Establish/Maintain Documentation
    Align the lending policy with the organization's risk acceptance level. CC ID 16716 Leadership and high level objectives Process or Activity
    Include the requirements for risk assessments in the lending policy. CC ID 16730 Leadership and high level objectives Establish/Maintain Documentation
    Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 Leadership and high level objectives Establish/Maintain Documentation
    Include the requirements for feasibility studies in the lending policy. CC ID 16726 Leadership and high level objectives Establish/Maintain Documentation
    Include pricing structures in the lending policy. CC ID 16724 Leadership and high level objectives Establish/Maintain Documentation
    Include monitoring requirements in the lending policy. CC ID 16710 Leadership and high level objectives Establish/Maintain Documentation
    Include loan origination procedures in the lending policy. CC ID 16709 Leadership and high level objectives Establish/Maintain Documentation
    Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 Leadership and high level objectives Establish/Maintain Documentation
    Include loan requirements in the lending policy. CC ID 16706 Leadership and high level objectives Establish/Maintain Documentation
    Include appraisals and evaluations in the lending policy. CC ID 16705 Leadership and high level objectives Establish/Maintain Documentation
    Include terms and conditions in the lending policy. CC ID 16695 Leadership and high level objectives Establish/Maintain Documentation
    Include the scope and distribution of loans in the lending policy. CC ID 16693 Leadership and high level objectives Establish/Maintain Documentation
    Include geographic areas in the lending policy. CC ID 16691 Leadership and high level objectives Establish/Maintain Documentation
    Include underwriting guidelines in the lending policy. CC ID 16619 Leadership and high level objectives Establish/Maintain Documentation
    Include credit review in the underwriting guidelines. CC ID 16765 Leadership and high level objectives Establish/Maintain Documentation
    Include loan-to-value ratio limits in the lending policy. CC ID 16618 Leadership and high level objectives Establish/Maintain Documentation
    Include documentation requirements in the lending policy. CC ID 16617 Leadership and high level objectives Establish/Maintain Documentation
    Include the purpose of the loan in the loan documentation. CC ID 16747 Leadership and high level objectives Establish/Maintain Documentation
    Include the source of repayment in the loan documentation. CC ID 16746 Leadership and high level objectives Establish/Maintain Documentation
    Include approval requirements in the lending policy. CC ID 16615 Leadership and high level objectives Establish/Maintain Documentation
    Include reporting requirements in the lending policy. CC ID 16614 Leadership and high level objectives Establish/Maintain Documentation
    Include loan portfolio diversification standards in the lending policy. CC ID 16611 Leadership and high level objectives Establish/Maintain Documentation
    Include loan administration procedures in the lending policy. CC ID 16610 Leadership and high level objectives Establish/Maintain Documentation
    Include loan participation agreements in the loan administration procedures. CC ID 16745 Leadership and high level objectives Establish/Maintain Documentation
    Include termination procedures in the loan participation agreement. CC ID 16753 Leadership and high level objectives Establish/Maintain Documentation
    Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 Leadership and high level objectives Establish/Maintain Documentation
    Include servicing agreements in the loan administration procedures. CC ID 16744 Leadership and high level objectives Establish/Maintain Documentation
    Include claims processing in the loan administration procedures. CC ID 16742 Leadership and high level objectives Establish/Maintain Documentation
    Include forbearance management in the loan administration procedures. CC ID 16741 Leadership and high level objectives Establish/Maintain Documentation
    Include foreclosure management in the loan administration procedures. CC ID 16740 Leadership and high level objectives Establish/Maintain Documentation
    Include delinquency management in the loan administration procedures. CC ID 16739 Leadership and high level objectives Establish/Maintain Documentation
    Include customer due diligence in the loan administration procedures. CC ID 16736 Leadership and high level objectives Process or Activity
    Include the requirements for financial statements in the loan administration procedures. CC ID 16735 Leadership and high level objectives Establish/Maintain Documentation
    Include loan closing in the loan administration procedures. CC ID 16734 Leadership and high level objectives Establish/Maintain Documentation
    Include payoff statements in the loan administration procedures. CC ID 16733 Leadership and high level objectives Establish/Maintain Documentation
    Include payment processing in the loan administration procedures. CC ID 16732 Leadership and high level objectives Establish/Maintain Documentation
    Include loan reviews in the loan administration procedures. CC ID 16703 Leadership and high level objectives Establish/Maintain Documentation
    Include collections in the loan administration procedures. CC ID 16701 Leadership and high level objectives Establish/Maintain Documentation
    Include collateral inspections in the loan administration procedures. CC ID 16699 Leadership and high level objectives Establish/Maintain Documentation
    Include disbursements in the loan administration procedures. CC ID 16697 Leadership and high level objectives Establish/Maintain Documentation
    Review and approve lending policies. CC ID 16607 Leadership and high level objectives Business Processes
    Establish, implement, and maintain a dividend policy. CC ID 16569 Leadership and high level objectives Establish/Maintain Documentation
    Include compliance requirements in the dividend policy. CC ID 16570 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain margin systems. CC ID 16601 Leadership and high level objectives Business Processes
    Include valuation models in the margin system. CC ID 16663 Leadership and high level objectives Data and Information Management
    Include procedures for collecting price data in the margin system. CC ID 16662 Leadership and high level objectives Data and Information Management
    Include reliable sources for price data in the margin system. CC ID 16661 Leadership and high level objectives Data and Information Management
    Establish, implement, and maintain capital adequacy measures. CC ID 16568 Leadership and high level objectives Business Processes
    Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 Leadership and high level objectives Communicate
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 Leadership and high level objectives Establish/Maintain Documentation
    Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 Leadership and high level objectives Establish/Maintain Documentation
    Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 Leadership and high level objectives Establish/Maintain Documentation
    Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 Leadership and high level objectives Data and Information Management
    Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 Leadership and high level objectives Data and Information Management
    Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 Leadership and high level objectives Data and Information Management
    Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 Leadership and high level objectives Data and Information Management
    Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 Leadership and high level objectives Data and Information Management
    Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 Leadership and high level objectives Data and Information Management
    Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 Leadership and high level objectives Data and Information Management
    Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 Leadership and high level objectives Data and Information Management
    Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 Leadership and high level objectives Data and Information Management
    Include account information In the recordkeeping system for securities transactions. CC ID 16632 Leadership and high level objectives Data and Information Management
    Establish, implement, and maintain securities transaction notifications. CC ID 16600 Leadership and high level objectives Establish/Maintain Documentation
    Include the call date in the securities transaction notification. CC ID 16680 Leadership and high level objectives Establish/Maintain Documentation
    Include service charges and commissions in the securities transaction notification. CC ID 16702 Leadership and high level objectives Establish/Maintain Documentation
    Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 Leadership and high level objectives Establish/Maintain Documentation
    Include the call price in the securities transaction notification. CC ID 16678 Leadership and high level objectives Establish/Maintain Documentation
    Include debits and credits in the securities transaction notification. CC ID 16677 Leadership and high level objectives Establish/Maintain Documentation
    Include transactions in the securities transaction notification. CC ID 16676 Leadership and high level objectives Establish/Maintain Documentation
    Include the credit rating of securities in the securities transaction notification. CC ID 16674 Leadership and high level objectives Establish/Maintain Documentation
    Include yield information in the securities transaction notification. CC ID 16673 Leadership and high level objectives Establish/Maintain Documentation
    Include redemption information in the securities transaction notification. CC ID 16672 Leadership and high level objectives Establish/Maintain Documentation
    Include the price calculated from the yield in the securities transaction notification. CC ID 16669 Leadership and high level objectives Establish/Maintain Documentation
    Include the type of call in the securities transaction notification. CC ID 16668 Leadership and high level objectives Establish/Maintain Documentation
    Include an account statement in the securities transaction notification. CC ID 16666 Leadership and high level objectives Establish/Maintain Documentation
    Include the yield to maturity in the securities transaction notification. CC ID 16665 Leadership and high level objectives Establish/Maintain Documentation
    Include the execution price in the securities transaction notification. CC ID 16664 Leadership and high level objectives Establish/Maintain Documentation
    Include the organization's role in the securities transaction notification. CC ID 16646 Leadership and high level objectives Establish/Maintain Documentation
    Include the name of the broker in the securities transaction notification. CC ID 16647 Leadership and high level objectives Establish/Maintain Documentation
    Include the name of the customer in the securities transaction notification. CC ID 16625 Leadership and high level objectives Establish/Maintain Documentation
    Include the organization's name in the securities transaction notification. CC ID 16624 Leadership and high level objectives Establish/Maintain Documentation
    Include confirmations in the securities transaction notification. CC ID 16623 Leadership and high level objectives Establish/Maintain Documentation
    Include remunerations in the securities transaction notification. CC ID 16622 Leadership and high level objectives Establish/Maintain Documentation
    Include requested information in the securities transaction notification. CC ID 16641 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 Leadership and high level objectives Communicate
    Include the execution date in the securities transaction notification. CC ID 16620 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain financial reports. CC ID 14770
    [The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Leadership and high level objectives Establish/Maintain Documentation
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Leadership and high level objectives Establish/Maintain Documentation
    Include the business need justification for lost value in the financial report. CC ID 15588
    [The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Leadership and high level objectives Communicate
    Include financial statements in the financial report, as necessary. CC ID 14775 Leadership and high level objectives Establish/Maintain Documentation
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Leadership and high level objectives Establish/Maintain Documentation
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Leadership and high level objectives Establish/Maintain Documentation
    Include material contingencies in the financial statement. CC ID 16596 Leadership and high level objectives Establish/Maintain Documentation
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Leadership and high level objectives Establish/Maintain Documentation
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Leadership and high level objectives Establish/Maintain Documentation
    Include assets and liabilities in the call report. CC ID 16729 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Leadership and high level objectives Communicate
    Monitor all outbound traffic from all systems. CC ID 12970 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitoring and measurement Monitor and Evaluate Occurrences
    Address operational anomalies within the incident management system. CC ID 11633 Monitoring and measurement Audits and Risk Management
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Monitoring and measurement Audits and Risk Management
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: the impacts of the organization's changing context are identified, understood, monitored and appropriate action is taken; § 6.2.3.4 ¶ 1 b)
    To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d)
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)]
    Monitoring and measurement Establish/Maintain Documentation
    Monitor the organization's exposure to threats, as necessary. CC ID 06494 Monitoring and measurement Monitor and Evaluate Occurrences
    Implement a fraud detection system. CC ID 13081 Monitoring and measurement Business Processes
    Monitor for new vulnerabilities. CC ID 06843 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain a compliance testing strategy. CC ID 00659 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Monitoring and measurement Testing
    Establish, implement, and maintain a system security plan. CC ID 01922
    [{environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Monitoring and measurement Testing
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Establish/Maintain Documentation
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Establish/Maintain Documentation
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Establish/Maintain Documentation
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Establish/Maintain Documentation
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Establish/Maintain Documentation
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Establish/Maintain Documentation
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Communicate
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Establish/Maintain Documentation
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Establish/Maintain Documentation
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Establish/Maintain Documentation
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Process or Activity
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Establish/Maintain Documentation
    Create specific test plans to test each system component. CC ID 00661 Monitoring and measurement Establish/Maintain Documentation
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Establish/Maintain Documentation
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Establish/Maintain Documentation
    Approve the system security plan. CC ID 14241 Monitoring and measurement Business Processes
    Review the test plans for each system component. CC ID 00662 Monitoring and measurement Establish/Maintain Documentation
    Document validated testing processes in the testing procedures. CC ID 06200 Monitoring and measurement Establish/Maintain Documentation
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Monitoring and measurement Establish/Maintain Documentation
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Monitoring and measurement Testing
    Implement automated audit tools. CC ID 04882 Monitoring and measurement Acquisition/Sale of Assets or Services
    Assign senior management to approve test plans. CC ID 13071 Monitoring and measurement Human Resources Management
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671
    [Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: overseeing that the organization performs and behaves according to the expectations set by the governing body; § 4.1 ¶ 3 d)]
    Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a metrics policy. CC ID 01654
    [The governing body should: set an expectation of the appropriate quality and quantity of measurement and timeliness of delivery when establishing objectives; § 4.3.2 ¶ 2 c)]
    Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)]
    Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain risk management metrics. CC ID 01656 Monitoring and measurement Establish/Maintain Documentation
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 Monitoring and measurement Business Processes
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Monitoring and measurement Audits and Risk Management
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499
    [Recognize failures and mistakes and take appropriate action. Table 2 Column 2 Row 2 Bullet 5]
    Monitoring and measurement Establish/Maintain Documentation
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Monitoring and measurement Establish/Maintain Documentation
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Monitoring and measurement Human Resources Management
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Monitoring and measurement Establish/Maintain Documentation
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Monitoring and measurement Establish/Maintain Documentation
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Monitoring and measurement Establish/Maintain Documentation
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Monitoring and measurement Establish/Maintain Documentation
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Monitoring and measurement Establish/Maintain Documentation
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Monitoring and measurement Establish/Maintain Documentation
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Monitoring and measurement Communicate
    Include required information in the disciplinary action notice. CC ID 16584 Monitoring and measurement Establish/Maintain Documentation
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Monitoring and measurement Establish/Maintain Documentation
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Monitoring and measurement Establish/Maintain Documentation
    Include the investigation results in the disciplinary action notice. CC ID 16581 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Monitoring and measurement Establish/Maintain Documentation
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Monitoring and measurement Establish/Maintain Documentation
    Include contact information in the disciplinary action notice. CC ID 16578 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain compliance program metrics. CC ID 11625 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain a security program metrics program. CC ID 01660 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)]
    Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661
    [{individual}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: those who can influence the decisions of the governing body (such as member stakeholders, reference stakeholders and other stakeholders who can exert a controlling influence) and the nature and level of influence; § 6.5.3.2 ¶ 1 c) 4)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); § 6.4.3.2 ¶ 1 b)]
    Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Monitoring and measurement Establish/Maintain Documentation
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an audit metrics program. CC ID 01664 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an Information Security metrics program. CC ID 01665 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a metrics standard and template. CC ID 02157
    [The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: § 6.2.3.3 ¶ 1
    The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)
    Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)]
    Monitoring and measurement Establish/Maintain Documentation
    Monitor compliance with the Quality Control system. CC ID 01023 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 Monitoring and measurement Establish/Maintain Documentation
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Monitoring and measurement Business Processes
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Monitoring and measurement Business Processes
    Establish, implement, and maintain a physical environment metrics program. CC ID 02063 Monitoring and measurement Business Processes
    Establish, implement, and maintain a privacy metrics program. CC ID 15494 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain waste management metrics. CC ID 16152 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain emissions management metrics. CC ID 16145 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain financial management metrics. CC ID 16749 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Monitoring and measurement Business Processes
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Monitoring and measurement Business Processes
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 Monitoring and measurement Business Processes
    Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 Monitoring and measurement Log Management
    Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Monitoring and measurement Business Processes
    Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 Monitoring and measurement Business Processes
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Monitoring and measurement Business Processes
    Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 Monitoring and measurement Business Processes
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Monitoring and measurement Business Processes
    Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 Monitoring and measurement Business Processes
    Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 Monitoring and measurement Business Processes
    Delay the reporting of incident management metrics, as necessary. CC ID 15501 Monitoring and measurement Communicate
    Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Monitoring and measurement Establish/Maintain Documentation
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Monitoring and measurement Actionable Reports or Measurements
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Monitoring and measurement Actionable Reports or Measurements
    Establish, implement, and maintain a log management program. CC ID 00673 Monitoring and measurement Establish/Maintain Documentation
    Deploy log normalization tools, as necessary. CC ID 12141 Monitoring and measurement Technical Security
    Restrict access to logs to authorized individuals. CC ID 01342 Monitoring and measurement Log Management
    Restrict access to audit trails to a need to know basis. CC ID 11641 Monitoring and measurement Technical Security
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Monitoring and measurement Log Management
    Back up audit trails according to backup procedures. CC ID 11642 Monitoring and measurement Systems Continuity
    Back up logs according to backup procedures. CC ID 01344 Monitoring and measurement Log Management
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Monitoring and measurement Log Management
    Identify hosts with logs that are not being stored. CC ID 06314 Monitoring and measurement Log Management
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Monitoring and measurement Log Management
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Monitoring and measurement Log Management
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Monitoring and measurement Log Management
    Protect logs from unauthorized activity. CC ID 01345 Monitoring and measurement Log Management
    Perform testing and validating activities on all logs. CC ID 06322 Monitoring and measurement Log Management
    Archive the audit trail in accordance with compliance requirements. CC ID 00674 Monitoring and measurement Log Management
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Monitoring and measurement Configuration
    Preserve the identity of individuals in audit trails. CC ID 10594 Monitoring and measurement Log Management
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Monitoring and measurement Establish/Maintain Documentation
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Monitoring and measurement Audits and Risk Management
    Monitor the performance of the governance, risk, and compliance capability. CC ID 12857
    [To exercise effective oversight, the governing body should: assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. § 6.4.3.1 ¶ 1 d)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; § 6.4.3.2 ¶ 1 a)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; § 6.4.3.2 ¶ 1 d)
    Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3
    To ensure that the organization is acting in a socially responsible way, the governing body should: measure performance against objectives related to socially responsible behaviour; § 6.10.3 ¶ 1 g)
    The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor the organizational culture. CC ID 12782
    [The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: the organizational culture is responsive to relevant stakeholders' views; § 6.6.3 ¶ 3 b)
    The governing body should steer the organizational strategy by means of: the organizational culture, including the cultural tone the governing body sets through its ethos; § 6.3.3.2.2 ¶ 2 a)]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor for changes to the organizational culture that have a cumulative effect on organizational objectives. CC ID 12886 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor for changes to the organizational culture that have a cumulative effect on strategies. CC ID 12885 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor for changes to the organizational culture that have an indirect effect on strategies. CC ID 12884 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor for changes to the organizational culture that have an indirect effect on organizational objectives. CC ID 12883 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor for changes to the organizational culture that have a direct effect on strategies. CC ID 12882 Monitoring and measurement Monitor and Evaluate Occurrences
    Align corrective actions with the level of environmental impact. CC ID 15193 Monitoring and measurement Business Processes
    Include risks and opportunities in the corrective action plan. CC ID 15178 Monitoring and measurement Establish/Maintain Documentation
    Include environmental aspects in the corrective action plan. CC ID 15177 Monitoring and measurement Establish/Maintain Documentation
    Include the completion date in the corrective action plan. CC ID 13272 Monitoring and measurement Establish/Maintain Documentation
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: carefully scrutinize the reporting lines of those who provide assurance internally, to safeguard their independence and authority (see NOTE 1); § 6.4.3.3 ¶ 1 d)]
    Audits and risk management Establish Roles
    Manage supply chain audits. CC ID 01203 Audits and risk management Audits and Risk Management
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and risk management Audits and Risk Management
    Rotate auditors, as necessary. CC ID 15589
    [Where external auditors are appointed, there should be a rotation of audit firms or auditors and careful consideration and transparency of the non-audit services they provide, to ensure continued independent assurance. § 6.4.3.3 ¶ 3]
    Audits and risk management Audits and Risk Management
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679
    [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. § 6.4.3.3 ¶ 1 g)]
    Audits and risk management Establish Roles
    Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 Audits and risk management Establish Roles
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Audits and risk management Establish Roles
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Audits and risk management Establish Roles
    Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 Audits and risk management Establish Roles
    Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 Audits and risk management Establish Roles
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Audits and risk management Establish Roles
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and risk management Audits and Risk Management
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Audits and risk management Establish/Maintain Documentation
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 Audits and risk management Establish/Maintain Documentation
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192 Audits and risk management Establish/Maintain Documentation
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Audits and risk management Establish/Maintain Documentation
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Audits and risk management Establish/Maintain Documentation
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Audits and risk management Establish/Maintain Documentation
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Audits and risk management Establish/Maintain Documentation
    Review the external audit scope, as necessary. CC ID 01202 Audits and risk management Audits and Risk Management
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Audits and risk management Establish/Maintain Documentation
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Audits and risk management Establish/Maintain Documentation
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Audits and risk management Establish/Maintain Documentation
    Review the external auditor's qualifications. CC ID 01197 Audits and risk management Audits and Risk Management
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and risk management Audits and Risk Management
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 Audits and risk management Establish/Maintain Documentation
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Audits and risk management Establish/Maintain Documentation
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Audits and risk management Behavior
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Audits and risk management Behavior
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Audits and risk management Establish/Maintain Documentation
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain an audit program. CC ID 00684
    [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; § 6.4.3.3 ¶ 1 f)
    Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4]
    Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain audit policies. CC ID 13166 Audits and risk management Establish/Maintain Documentation
    Assign the audit to impartial auditors. CC ID 07118
    [The governing body should: assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; § 4.3.2 ¶ 2 d)
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: § 6.4.3.3 ¶ 1]
    Audits and risk management Establish Roles
    Define what constitutes a threat to independence. CC ID 16824 Audits and risk management Audits and Risk Management
    Exercise due professional care during the planning and performance of the audit. CC ID 07119 Audits and risk management Behavior
    Include resource requirements in the audit program. CC ID 15237 Audits and risk management Establish/Maintain Documentation
    Include risks and opportunities in the audit program. CC ID 15236
    [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that assurance services provided to the governing body are integrated and optimized so that, taken as a whole, they support and enable an effective internal control system and address the organization's significant risks and material matters; § 6.4.3.3 ¶ 1 f)]
    Audits and risk management Establish/Maintain Documentation
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and risk management Audits and Risk Management
    Establish and maintain audit terms. CC ID 13880 Audits and risk management Establish/Maintain Documentation
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Audits and risk management Process or Activity
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Audits and risk management Establish/Maintain Documentation
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain an in scope system description. CC ID 14873 Audits and risk management Establish/Maintain Documentation
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and risk management Audits and Risk Management
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and risk management Audits and Risk Management
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and risk management Audits and Risk Management
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and risk management Audits and Risk Management
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and risk management Audits and Risk Management
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and risk management Audits and Risk Management
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and risk management Audits and Risk Management
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Audits and risk management Establish/Maintain Documentation
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Audits and risk management Establish/Maintain Documentation
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Audits and risk management Establish/Maintain Documentation
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and risk management Audits and Risk Management
    Include changes in the audit assertion's in scope system description. CC ID 14894 Audits and risk management Establish/Maintain Documentation
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Audits and risk management Establish/Maintain Documentation
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Audits and risk management Establish/Maintain Documentation
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Audits and risk management Establish/Maintain Documentation
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Audits and risk management Establish/Maintain Documentation
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Audits and risk management Establish/Maintain Documentation
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Audits and risk management Establish/Maintain Documentation
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Audits and risk management Establish/Maintain Documentation
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Audits and risk management Establish/Maintain Documentation
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Audits and risk management Establish/Maintain Documentation
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Audits and risk management Establish/Maintain Documentation
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Audits and risk management Establish/Maintain Documentation
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Audits and risk management Establish/Maintain Documentation
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Audits and risk management Establish/Maintain Documentation
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Audits and risk management Establish/Maintain Documentation
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Audits and risk management Establish/Maintain Documentation
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Audits and risk management Establish/Maintain Documentation
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Audits and risk management Establish/Maintain Documentation
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Audits and risk management Establish/Maintain Documentation
    Include commitments to third parties in the audit assertion. CC ID 14899 Audits and risk management Establish/Maintain Documentation
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Audits and risk management Establish/Maintain Documentation
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Audits and risk management Establish/Maintain Documentation
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Audits and risk management Establish/Maintain Documentation
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and risk management Audits and Risk Management
    Identify personnel who should attend the closing meeting. CC ID 15261 Audits and risk management Business Processes
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and risk management Audits and Risk Management
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Audits and risk management Establish/Maintain Documentation
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 Audits and risk management Establish/Maintain Documentation
    Include third party assets in the audit scope. CC ID 16504 Audits and risk management Audits and Risk Management
    Include audit subject matter in the audit program. CC ID 07103 Audits and risk management Establish/Maintain Documentation
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Audits and risk management Investigate
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Audits and risk management Establish/Maintain Documentation
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Audits and risk management Establish/Maintain Documentation
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Audits and risk management Establish/Maintain Documentation
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Audits and risk management Establish/Maintain Documentation
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and risk management Audits and Risk Management
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Audits and risk management Establish/Maintain Documentation
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Audits and Risk Management
    Include in scope information in the audit program. CC ID 16198 Audits and risk management Establish/Maintain Documentation
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Audits and risk management Establish/Maintain Documentation
    Provide a representation letter in support of the audit assertion. CC ID 07158 Audits and risk management Establish/Maintain Documentation
    Include the date of the audit in the representation letter. CC ID 16517 Audits and risk management Audits and Risk Management
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Audits and risk management Establish/Maintain Documentation
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Audits and risk management Establish/Maintain Documentation
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Audits and risk management Establish/Maintain Documentation
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Audits and risk management Establish/Maintain Documentation
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Audits and risk management Establish/Maintain Documentation
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Audits and risk management Establish/Maintain Documentation
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Audits and risk management Establish/Maintain Documentation
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Audits and risk management Establish/Maintain Documentation
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Audits and risk management Establish/Maintain Documentation
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Audits and risk management Establish/Maintain Documentation
    Include an in scope system description in the audit assertion. CC ID 14872 Audits and risk management Establish/Maintain Documentation
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Audits and risk management Establish/Maintain Documentation
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Audits and risk management Establish/Maintain Documentation
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Audits and risk management Establish/Maintain Documentation
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Audits and risk management Establish/Maintain Documentation
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Audits and risk management Establish/Maintain Documentation
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Audits and risk management Establish/Maintain Documentation
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Audits and risk management Establish/Maintain Documentation
    Include the in scope procedures in the audit assertion. CC ID 06972 Audits and risk management Establish/Maintain Documentation
    Include the in scope records produced in the audit assertion. CC ID 06968 Audits and risk management Establish/Maintain Documentation
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Audits and risk management Establish/Maintain Documentation
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Audits and risk management Establish/Maintain Documentation
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Audits and risk management Establish/Maintain Documentation
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Audits and risk management Establish/Maintain Documentation
    Include in scope change controls in the audit assertion. CC ID 06976 Audits and risk management Establish/Maintain Documentation
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Audits and risk management Establish/Maintain Documentation
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Audits and risk management Communicate
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Audits and risk management Establish/Maintain Documentation
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Audits and risk management Establish/Maintain Documentation
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794
    [To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: determine the level of assurance scrutiny it requires, depending on the assessed risk; § 6.4.3.3 ¶ 1 a)]
    Audits and risk management Establish/Maintain Documentation
    Include the expectations for the audit report in the audit terms. CC ID 07148 Audits and risk management Establish/Maintain Documentation
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Audits and risk management Establish/Maintain Documentation
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Audits and risk management Communicate
    Include materiality levels in the audit terms. CC ID 01238 Audits and risk management Establish/Maintain Documentation
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Audits and risk management Establish/Maintain Documentation
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Audits and risk management Establish/Maintain Documentation
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Audits and risk management Business Processes
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Audits and risk management Business Processes
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Audits and risk management Behavior
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and risk management Audits and Risk Management
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Audits and risk management Business Processes
    Audit in scope audit items and compliance documents. CC ID 06730 Audits and risk management Audits and Risk Management
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 Audits and risk management Actionable Reports or Measurements
    Document any after the fact changes to the engagement file. CC ID 07002 Audits and risk management Establish/Maintain Documentation
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Audits and risk management Establish/Maintain Documentation
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Audits and risk management Establish/Maintain Documentation
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Audits and risk management Records Management
    Conduct onsite inspections, as necessary. CC ID 16199 Audits and risk management Testing
    Audit policies, standards, and procedures. CC ID 12927 Audits and risk management Audits and Risk Management
    Edit the audit assertion for accuracy. CC ID 07030 Audits and risk management Establish/Maintain Documentation
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Audits and risk management Establish/Maintain Documentation
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Audits and risk management Process or Activity
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Audits and risk management Establish/Maintain Documentation
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 Audits and risk management Testing
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and risk management Audits and Risk Management
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and risk management Audits and Risk Management
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and risk management Audits and Risk Management
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and risk management Audits and Risk Management
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and risk management Audits and Risk Management
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Audits and risk management Testing
    Establish, implement, and maintain interview procedures. CC ID 16282 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the interview procedures. CC ID 16297 Audits and risk management Human Resources Management
    Coordinate the scheduling of interviews. CC ID 16293 Audits and risk management Process or Activity
    Create a schedule for the interviews. CC ID 16292 Audits and risk management Process or Activity
    Identify interviewees. CC ID 16290 Audits and risk management Process or Activity
    Explain the testing results to the interviewee. CC ID 16291 Audits and risk management Process or Activity
    Establish and maintain work papers, as necessary. CC ID 13891 Audits and risk management Establish/Maintain Documentation
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Audits and risk management Establish/Maintain Documentation
    Include audit irregularities in the work papers. CC ID 16774 Audits and risk management Establish/Maintain Documentation
    Include corrective actions in the work papers. CC ID 16771 Audits and risk management Establish/Maintain Documentation
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Audits and risk management Establish/Maintain Documentation
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Audits and risk management Establish/Maintain Documentation
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Audits and risk management Establish/Maintain Documentation
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 Audits and risk management Audits and Risk Management
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Audits and risk management Establish/Maintain Documentation
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Audits and risk management Establish/Maintain Documentation
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Audits and risk management Establish/Maintain Documentation
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Audits and risk management Establish/Maintain Documentation
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and risk management Audits and Risk Management
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Audits and risk management Establish/Maintain Documentation
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Audits and risk management Establish/Maintain Documentation
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Audits and risk management Monitor and Evaluate Occurrences
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Audits and risk management Establish Roles
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Audits and risk management Business Processes
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Audits and risk management Monitor and Evaluate Occurrences
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Audits and risk management Business Processes
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Audits and risk management Process or Activity
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Audits and risk management Establish/Maintain Documentation
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 Audits and risk management Audits and Risk Management
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Audits and risk management Business Processes
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and risk management Audits and Risk Management
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Audits and risk management Establish/Maintain Documentation
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Audits and risk management Establish/Maintain Documentation
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Audits and risk management Establish/Maintain Documentation
    Establish and maintain organizational audit reports. CC ID 06731 Audits and risk management Establish/Maintain Documentation
    Include the justification for not following the applicable requirements in the audit report. CC ID 16822 Audits and risk management Audits and Risk Management
    Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 Audits and risk management Audits and Risk Management
    Include audit subject matter in the audit report. CC ID 14882 Audits and risk management Establish/Maintain Documentation
    Include an other-matter paragraph in the audit report. CC ID 14901 Audits and risk management Establish/Maintain Documentation
    Write the audit report using clear and conspicuous language. CC ID 13948 Audits and risk management Establish/Maintain Documentation
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Audits and risk management Establish/Maintain Documentation
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Audits and risk management Establish/Maintain Documentation
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Audits and risk management Establish/Maintain Documentation
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Audits and risk management Establish/Maintain Documentation
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Audits and risk management Establish/Maintain Documentation
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Audits and risk management Establish/Maintain Documentation
    Include references to historical financial information used in the audit report. CC ID 13961 Audits and risk management Establish/Maintain Documentation
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Audits and risk management Establish/Maintain Documentation
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Audits and risk management Establish/Maintain Documentation
    Include the word independent in the title of audit reports. CC ID 07003 Audits and risk management Actionable Reports or Measurements
    Include the date of the audit in the audit report. CC ID 07024 Audits and risk management Actionable Reports or Measurements
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Audits and risk management Establish/Maintain Documentation
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Audits and risk management Actionable Reports or Measurements
    Include any discussions of significant findings in the audit report. CC ID 13955 Audits and risk management Establish/Maintain Documentation
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Audits and risk management Establish/Maintain Documentation
    Include the audit criteria in the audit report. CC ID 13945 Audits and risk management Establish/Maintain Documentation
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Audits and risk management Establish/Maintain Documentation
    Include all hypothetical assumptions in the audit report. CC ID 13947 Audits and risk management Establish/Maintain Documentation
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Audits and risk management Actionable Reports or Measurements
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Audits and risk management Establish/Maintain Documentation
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Audits and risk management Establish/Maintain Documentation
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Audits and risk management Establish/Maintain Documentation
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Audits and risk management Establish/Maintain Documentation
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Audits and risk management Establish/Maintain Documentation
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Audits and risk management Establish/Maintain Documentation
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Audits and risk management Establish/Maintain Documentation
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Audits and risk management Establish/Maintain Documentation
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Audits and risk management Establish/Maintain Documentation
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Audits and risk management Establish/Maintain Documentation
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Audits and risk management Establish/Maintain Documentation
    Include all restrictions on the audit in the audit report. CC ID 13930 Audits and risk management Establish/Maintain Documentation
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Audits and risk management Establish/Maintain Documentation
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Audits and risk management Establish/Maintain Documentation
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Audits and risk management Establish/Maintain Documentation
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Audits and risk management Establish/Maintain Documentation
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Audits and risk management Establish/Maintain Documentation
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Audits and risk management Establish/Maintain Documentation
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and risk management Audits and Risk Management
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Audits and risk management Establish/Maintain Documentation
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Audits and risk management Establish/Maintain Documentation
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Audits and risk management Establish/Maintain Documentation
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Audits and risk management Establish/Maintain Documentation
    Include recommended corrective actions in the audit report. CC ID 16197 Audits and risk management Establish/Maintain Documentation
    Include risks and opportunities in the audit report. CC ID 16196 Audits and risk management Establish/Maintain Documentation
    Include the description of tests of controls and results in the audit report. CC ID 14898 Audits and risk management Establish/Maintain Documentation
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Audits and risk management Establish/Maintain Documentation
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Audits and risk management Establish/Maintain Documentation
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Audits and risk management Establish/Maintain Documentation
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and risk management Audits and Risk Management
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Audits and risk management Establish/Maintain Documentation
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Audits and risk management Establish/Maintain Documentation
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Audits and risk management Actionable Reports or Measurements
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Audits and risk management Establish/Maintain Documentation
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Audits and risk management Establish/Maintain Documentation
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Audits and risk management Establish/Maintain Documentation
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Audits and risk management Establish/Maintain Documentation
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Audits and risk management Establish/Maintain Documentation
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Audits and risk management Establish/Maintain Documentation
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and risk management Audits and Risk Management
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Audits and risk management Establish/Maintain Documentation
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Audits and risk management Establish/Maintain Documentation
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Audits and Risk Management
    Resolve disputes before creating the audit summary. CC ID 08964 Audits and risk management Behavior
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Audits and risk management Establish/Maintain Documentation
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Audits and risk management Establish/Maintain Documentation
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Audits and risk management Establish/Maintain Documentation
    Include an audit opinion in the audit report. CC ID 07017 Audits and risk management Establish/Maintain Documentation
    Include qualified opinions in the audit report. CC ID 13928 Audits and risk management Establish/Maintain Documentation
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Audits and risk management Establish/Maintain Documentation
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Audits and risk management Establish/Maintain Documentation
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Audits and risk management Establish/Maintain Documentation
    Include the organization's privacy practices in the audit report. CC ID 07029 Audits and risk management Establish/Maintain Documentation
    Include items that pertain to third parties in the audit report. CC ID 07008 Audits and risk management Establish/Maintain Documentation
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Audits and risk management Establish/Maintain Documentation
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Audits and risk management Establish/Maintain Documentation
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Audits and risk management Establish/Maintain Documentation
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Audits and risk management Establish/Maintain Documentation
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Audits and risk management Establish/Maintain Documentation
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Audits and risk management Establish/Maintain Documentation
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Audits and risk management Establish/Maintain Documentation
    Disclose any audit irregularities in the audit report. CC ID 06995 Audits and risk management Actionable Reports or Measurements
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117
    [Assurance processes that inform the governing body independently and accurately include: external audit and associated reporting to stakeholders and the governing body; § 6.4.3.3 ¶ 2 Bullet 4]
    Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Audits and risk management Communicate
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Audits and risk management Communicate
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Audits and risk management Behavior
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Audits and risk management Establish/Maintain Documentation
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Audits and risk management Establish/Maintain Documentation
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Audits and risk management Business Processes
    Accept the audit report. CC ID 07025 Audits and risk management Establish/Maintain Documentation
    Assign responsibility for remediation actions. CC ID 13622 Audits and risk management Human Resources Management
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Audits and risk management Establish/Maintain Documentation
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and risk management Audits and Risk Management
    Include the audit criteria in the audit plan. CC ID 15262 Audits and risk management Establish/Maintain Documentation
    Include a list of reference documents in the audit plan. CC ID 15260 Audits and risk management Establish/Maintain Documentation
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Audits and risk management Establish/Maintain Documentation
    Include the allocation of resources in the audit plan. CC ID 15251
    [{individual}To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: ensure that those providing assurance have appropriate authority and adequate resources to provide the governing body with accurate assessments; § 6.4.3.3 ¶ 1 b)]
    Audits and risk management Establish/Maintain Documentation
    Include communication protocols in the audit plan. CC ID 15247 Audits and risk management Establish/Maintain Documentation
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Audits and risk management Establish/Maintain Documentation
    Include meeting schedules in the audit plan. CC ID 15245 Audits and risk management Establish/Maintain Documentation
    Include the time frames for the audit in the audit plan. CC ID 15244 Audits and risk management Establish/Maintain Documentation
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Audits and risk management Establish/Maintain Documentation
    Include the locations to be audited in the audit plan. CC ID 15242 Audits and risk management Establish/Maintain Documentation
    Include the processes to be audited in the audit plan. CC ID 15241 Audits and risk management Establish/Maintain Documentation
    Include audit objectives in the audit plan. CC ID 15240 Audits and risk management Establish/Maintain Documentation
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Audits and risk management Communicate
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a risk management program. CC ID 12051
    [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b)
    The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all organizational activities. § 6.9.3.2 ¶ 1
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the intended risk management performance is achieved. § 6.9.3.4 ¶ 1 i)
    {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Audits and risk management Establish/Maintain Documentation
    Include the scope of risk management activities in the risk management program. CC ID 13658 Audits and risk management Establish/Maintain Documentation
    Integrate the risk management program with the organization's business activities. CC ID 13661
    [The governing body should establish an organizational risk framework that ensures a formal, proactive and anticipative approach to the management of risk across the organization, including by the governing body. The governing body should ensure that this framework integrates risk management into all organizational activities. § 6.9.3.2 ¶ 1
    In overseeing risk management, the governing body should specifically assure itself that risk management is integrated into all organizational activities by seeking evidence that, for example: § 6.9.3.4 ¶ 2]
    Audits and risk management Business Processes
    Integrate the risk management program into daily business decision-making. CC ID 13659
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: decision-making behaviours are informed by risk assessment outcomes and are consistent with governance policies; § 6.9.3.4 ¶ 1 g)
    The governing body should ensure that the organizational risk framework, in respect to the management of risk: guides decision-making behaviours and the impact of leadership actions, inactions or omissions on those behaviours; § 6.9.3.2 ¶ 2 b)]
    Audits and risk management Business Processes
    Include managing mobile risks in the risk management program. CC ID 13535 Audits and risk management Establish/Maintain Documentation
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and risk management Audits and Risk Management
    Include regular updating in the risk management system. CC ID 14990 Audits and risk management Business Processes
    Establish, implement, and maintain risk management strategies. CC ID 13209
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: strategies to manage risk are deployed within agreed risk limits and associated risk tolerance; § 6.9.3.4 ¶ 1 b)]
    Audits and risk management Establish/Maintain Documentation
    Include off-site storage of supplies in the risk management strategies. CC ID 13221 Audits and risk management Establish/Maintain Documentation
    Include data quality in the risk management strategies. CC ID 15308 Audits and risk management Data and Information Management
    Include the use of alternate service providers in the risk management strategies. CC ID 13217 Audits and risk management Establish/Maintain Documentation
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Audits and risk management Establish/Maintain Documentation
    Include off-site storage in the risk mitigation strategies. CC ID 13213 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Establish/Maintain Documentation
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456
    [The governing body should ensure that the organizational risk framework, in respect to the management of risk: defines the responsibilities of the governing body and associated delegation across the organization; § 6.9.3.2 ¶ 2 e)]
    Audits and risk management Establish Roles
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: § 6.9.3.3 ¶ 1]
    Audits and risk management Establish/Maintain Documentation
    Address past incidents in the risk assessment program. CC ID 12743 Audits and risk management Audits and Risk Management
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Audits and risk management Establish/Maintain Documentation
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Audits and risk management Establish/Maintain Documentation
    Establish and maintain the factors and context for risk to the organization. CC ID 12230
    [The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. § 6.9.1 ¶ 1
    The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. Table 1 Column 4 Row 10
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: a holistic view is taken by the organization, including consideration of all relevant types of risk; § 6.9.3.4 ¶ 1 a)
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the organization's risk landscape; § 6.3.3.1.1 ¶ 2 c)]
    Audits and risk management Audits and Risk Management
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain insurance requirements. CC ID 16562 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Audits and risk management Communicate
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Audits and risk management Communicate
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Audits and risk management Business Processes
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Audits and risk management Business Processes
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 Audits and risk management Business Processes
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Audits and risk management Process or Activity
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Audits and risk management Establish/Maintain Documentation
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Audits and risk management Establish/Maintain Documentation
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Audits and risk management Establish/Maintain Documentation
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Audits and risk management Establish/Maintain Documentation
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Audits and risk management Communicate
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Audits and risk management Establish/Maintain Documentation
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Audits and risk management Establish/Maintain Documentation
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 Audits and risk management Establish/Maintain Documentation
    Use the risk taxonomy when managing risk. CC ID 12280 Audits and risk management Behavior
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Audits and risk management Establish/Maintain Documentation
    Include compliance requirements in the risk assessment policy. CC ID 14121 Audits and risk management Establish/Maintain Documentation
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Audits and risk management Establish/Maintain Documentation
    Include management commitment in the risk assessment policy. CC ID 14119 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Audits and risk management Establish/Maintain Documentation
    Include the scope in the risk assessment policy. CC ID 14117 Audits and risk management Establish/Maintain Documentation
    Include the purpose in the risk assessment policy. CC ID 14116 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Audits and risk management Communicate
    Establish, implement, and maintain risk assessment procedures. CC ID 06446
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the process for assessing risk is consistent throughout the organization, enabling effective comparison and prioritization of risk; § 6.9.3.4 ¶ 1 e)
    The governing body should ensure that the value generation objectives are delivered by the organization as a whole, by applying all other principles in this document. This includes ensuring that: unintended outcomes are adequately identified, understood, monitored and appropriate action taken; § 6.2.3.4 ¶ 1 a)]
    Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Audits and risk management Establish/Maintain Documentation
    Analyze the organization's information security environment. CC ID 13122 Audits and risk management Technical Security
    Document cybersecurity risks. CC ID 12281 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Audits and risk management Establish/Maintain Documentation
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Audits and risk management Human Resources Management
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account the target environment. CC ID 06479
    [The governing body should consider and manage risk associated with its own activities in accordance with the organizational risk framework. For example, the governing body should: § 6.9.3.3 ¶ 1]
    Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and risk management Audits and Risk Management
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Audits and risk management Establish/Maintain Documentation
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Audits and risk management Establish/Maintain Documentation
    Document organizational risk criteria. CC ID 12277
    [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the risk appetite, which involves setting risk criteria and associated limits; § 6.9.3.2 ¶ 2 g)]
    Audits and risk management Establish/Maintain Documentation
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Audits and risk management Technical Security
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and risk management Audits and Risk Management
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and risk management Audits and Risk Management
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Audits and risk management Establish/Maintain Documentation
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and risk management Audits and Risk Management
    Approve the threat and risk classification scheme. CC ID 15693 Audits and risk management Business Processes
    Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and risk management Audits and Risk Management
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Audits and risk management Establish/Maintain Documentation
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Audits and risk management Establish/Maintain Documentation
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Audits and risk management Establish/Maintain Documentation
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Audits and risk management Establish/Maintain Documentation
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Audits and risk management Establish/Maintain Documentation
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Audits and risk management Establish/Maintain Documentation
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and risk management Audits and Risk Management
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Audits and risk management Communicate
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 Audits and risk management Establish/Maintain Documentation
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d)
    {environmental system}{social system} The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9). While doing so, the governing body should ensure that relevant stakeholders are consulted and engaged (see 6.6). This should provide clarity regarding the impact the governing body's decisions have, over time, on those aspects on which the organization is: § 6.11.3.4 ¶ 1]
    Audits and risk management Testing
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Audits and risk management Establish/Maintain Documentation
    Include physical assets in the scope of the risk assessment. CC ID 13075 Audits and risk management Establish/Maintain Documentation
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Audits and risk management Establish/Maintain Documentation
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and risk management Audits and Risk Management
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and risk management Audits and Risk Management
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and risk management Audits and Risk Management
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Audits and risk management Establish/Maintain Documentation
    Create a risk assessment report based on the risk assessment results. CC ID 15695 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633
    [Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, risk management and compliance management as independent control functions; § 6.4.3.3 ¶ 2 Bullet 2]
    Audits and risk management Communicate
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Audits and risk management Communicate
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Audits and risk management Business Processes
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g)
    To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: effective risk reporting and communication of risk are practised and promoted throughout the organization; § 6.9.3.4 ¶ 1 h)
    Assurance processes that inform the governing body independently and accurately include: direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; § 6.4.3.3 ¶ 2 Bullet 3
    {environmental system}{social system}The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the risks posed to the organization, and the organization's value generation model, by the natural environmental, social and economic systems within which it operates and by the governing body's decisions; § 6.11.3.4 ¶ 2 b)
    {environmental system}{social system}The governing body should ensure that when the organization reports and discloses its value generation model (see 6.2 and 6.5) these include: the risks posed to the natural environmental, social and economic systems by the organization, by the organization's value generation model and by the governing body's decisions. § 6.11.3.4 ¶ 2 c)]
    Audits and risk management Behavior
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Audits and Risk Management
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Audits and risk management Establish/Maintain Documentation
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Audits and risk management Establish/Maintain Documentation
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Audits and risk management Establish/Maintain Documentation
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Audits and risk management Establish/Maintain Documentation
    Include pandemic risks in the Business Impact Analysis. CC ID 13219 Audits and risk management Establish/Maintain Documentation
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300
    [{social context}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the organization, including: the impact the organization has had, and anticipates having, on the resources it uses and the natural environment, social and economic context within which it operates; § 6.5.3.2 ¶ 1 c) 3)
    The value generation model requires an integrated approach to understanding and using resources (e.g. human, social and relational, intellectual, the natural environment, financial and manufactured). This approach includes: reporting on the extent of the organization's impact on these resources and the impact of these resources on one another. § 6.2.3.1 ¶ 4 c)
    The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where the organization has destroyed or compromised value, providing a justification for such where appropriate, and describing how it will redress or reinstate that value. § 6.2.3.5 ¶ 2]
    Audits and risk management Communicate
    Establish, implement, and maintain a risk register. CC ID 14828 Audits and risk management Establish/Maintain Documentation
    Document organizational risk tolerance in a risk register. CC ID 09961 Audits and risk management Establish/Maintain Documentation
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Audits and risk management Business Processes
    Review the Business Impact Analysis, as necessary. CC ID 12774 Audits and risk management Business Processes
    Analyze and quantify the risks to in scope systems and information. CC ID 00701 Audits and risk management Audits and Risk Management
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and risk management Audits and Risk Management
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and risk management Audits and Risk Management
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [{positive impact}Responsible stewardship — The organization: effectively balances positive and negative impacts; § 5 ¶ 2 b) 2)
    The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the risk appetite, which involves setting risk criteria and associated limits; § 6.9.3.2 ¶ 2 g)
    The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: balances the achievement of the value generation objectives against potential impacts; § 6.2.3.3 ¶ 1 a)]
    Audits and risk management Establish/Maintain Documentation
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Audits and risk management Investigate
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the choice of risk treatments is consistent with governance policies; § 6.9.3.4 ¶ 1 c)]
    Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Audits and risk management Behavior
    Document the results of the gap analysis. CC ID 16271 Audits and risk management Establish/Maintain Documentation
    Prioritize and select controls based on the risk assessment findings. CC ID 00707 Audits and risk management Audits and Risk Management
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and risk management Audits and Risk Management
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain a risk treatment plan. CC ID 11983
    [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; § 6.9.3.1 ¶ 2 b)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: the organization assesses, treats, monitors and reviews risk in accordance with the established organizational risk framework; § 6.9.3.4 ¶ 1 d)
    The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)]
    Audits and risk management Establish/Maintain Documentation
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Audits and risk management Establish/Maintain Documentation
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and risk management Audits and Risk Management
    Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 Audits and risk management Audits and Risk Management
    Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 Audits and risk management Audits and Risk Management
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Audits and risk management Establish/Maintain Documentation
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Audits and risk management Establish/Maintain Documentation
    Include change control processes in the risk treatment plan. CC ID 11981 Audits and risk management Establish/Maintain Documentation
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Audits and risk management Establish/Maintain Documentation
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Audits and risk management Establish/Maintain Documentation
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Audits and risk management Establish/Maintain Documentation
    Include risk assessment results in the risk treatment plan. CC ID 11978 Audits and risk management Establish/Maintain Documentation
    Include a description of usage in the risk treatment plan. CC ID 11977 Audits and risk management Establish/Maintain Documentation
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 Audits and risk management Communicate
    Approve the risk treatment plan. CC ID 13495 Audits and risk management Audits and Risk Management
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 Audits and risk management Establish/Maintain Documentation
    Review and approve the risk assessment findings. CC ID 06485
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: risk information (e.g. information received directly from the risk function) regarding the organization's assessment and treatment of its key threats and opportunities in consideration of the organizational risk framework (see 6.9); § 6.4.3.2 ¶ 1 c)]
    Audits and risk management Establish/Maintain Documentation
    Include risk responses in the risk management program. CC ID 13195 Audits and risk management Establish/Maintain Documentation
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 Audits and risk management Business Processes
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Audits and risk management Establish/Maintain Documentation
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Audits and risk management Establish/Maintain Documentation
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Audits and risk management Business Processes
    Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 Audits and risk management Audits and Risk Management
    Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 Audits and risk management Establish/Maintain Documentation
    Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 Audits and risk management Monitor and Evaluate Occurrences
    Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 Audits and risk management Communicate
    Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 Audits and risk management Communicate
    Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 Audits and risk management Establish/Maintain Documentation
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Audits and risk management Establish/Maintain Documentation
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 Audits and risk management Communicate
    Evaluate the cyber insurance market. CC ID 12695 Audits and risk management Business Processes
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Audits and risk management Business Processes
    Acquire cyber insurance, as necessary. CC ID 12693 Audits and risk management Business Processes
    Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 Audits and risk management Establish/Maintain Documentation
    Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 Audits and risk management Monitor and Evaluate Occurrences
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Audits and risk management Establish/Maintain Documentation
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Audits and risk management Establish/Maintain Documentation
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Audits and risk management Establish/Maintain Documentation
    Include management commitment in the supply chain risk management policy. CC ID 14709 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Audits and risk management Establish/Maintain Documentation
    Include the scope in the supply chain risk management policy. CC ID 14707 Audits and risk management Establish/Maintain Documentation
    Include the purpose in the supply chain risk management policy. CC ID 14706 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Audits and risk management Communicate
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Audits and risk management Establish/Maintain Documentation
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Audits and risk management Establish/Maintain Documentation
    Include dates in the supply chain risk management plan. CC ID 15617 Audits and risk management Establish/Maintain Documentation
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Audits and risk management Establish/Maintain Documentation
    Include supply chain risk management procedures in the risk management program. CC ID 13190 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Audits and risk management Communicate
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Audits and risk management Human Resources Management
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Audits and risk management Communicate
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Technical security Establish/Maintain Documentation
    Control access rights to organizational assets. CC ID 00004
    [{procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)]
    Technical security Technical Security
    Configure access control lists in accordance with organizational standards. CC ID 16465 Technical security Configuration
    Add all devices requiring access control to the Access Control List. CC ID 06264 Technical security Establish/Maintain Documentation
    Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 Technical security Technical Security
    Define roles for information systems. CC ID 12454 Technical security Human Resources Management
    Define access needs for each role assigned to an information system. CC ID 12455 Technical security Human Resources Management
    Define access needs for each system component of an information system. CC ID 12456 Technical security Technical Security
    Define the level of privilege required for each system component of an information system. CC ID 12457 Technical security Technical Security
    Establish access rights based on least privilege. CC ID 01411 Technical security Technical Security
    Assign user permissions based on job responsibilities. CC ID 00538 Technical security Technical Security
    Assign user privileges after they have management sign off. CC ID 00542 Technical security Technical Security
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Technical security Configuration
    Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 Technical security Technical Security
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Technical security Configuration
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical security Technical Security
    Establish, implement, and maintain session lock capabilities. CC ID 01417 Technical security Configuration
    Limit concurrent sessions according to account type. CC ID 01416 Technical security Configuration
    Establish session authenticity through Transport Layer Security. CC ID 01627 Technical security Technical Security
    Configure the "tlsverify" argument to organizational standards. CC ID 14460 Technical security Configuration
    Configure the "tlscacert" argument to organizational standards. CC ID 14521 Technical security Configuration
    Configure the "tlscert" argument to organizational standards. CC ID 14520 Technical security Configuration
    Configure the "tlskey" argument to organizational standards. CC ID 14519 Technical security Configuration
    Enable access control for objects and users on each system. CC ID 04553 Technical security Configuration
    Include all system components in the access control system. CC ID 11939 Technical security Technical Security
    Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 Technical security Process or Activity
    Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 Technical security Technical Security
    Enable attribute-based access control for objects and users on information systems. CC ID 16351 Technical security Technical Security
    Enable role-based access control for objects and users on information systems. CC ID 12458 Technical security Technical Security
    Include the objects and users subject to access control in the security policy. CC ID 11836 Technical security Establish/Maintain Documentation
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Technical security Establish Roles
    Enforce access restrictions for change control. CC ID 01428 Technical security Technical Security
    Enforce access restrictions for restricted data. CC ID 01921 Technical security Data and Information Management
    Permit a limited set of user actions absent identification and authentication. CC ID 04849 Technical security Technical Security
    Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 Technical security Technical Security
    Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 Technical security Establish/Maintain Documentation
    Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 Technical security Establish/Maintain Documentation
    Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 Technical security Technical Security
    Display previous logon information in the logon banner. CC ID 01415 Technical security Configuration
    Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 Technical security Establish/Maintain Documentation
    Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 Technical security Technical Security
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a continuity framework. CC ID 00732 Operational and Systems Continuity Establish/Maintain Documentation
    Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain a continuity plan. CC ID 00752 Operational and Systems Continuity Establish/Maintain Documentation
    Include restoration procedures in the continuity plan. CC ID 01169
    [The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: actively contribute to conserving and restoring these systems. § 6.11.3.1 ¶ 1 Bullet 2]
    Operational and Systems Continuity Establish Roles
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 Operational and Systems Continuity Establish/Maintain Documentation
    Include the recovery plan in the continuity plan. CC ID 01377 Operational and Systems Continuity Establish/Maintain Documentation
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Operational and Systems Continuity Communicate
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a critical third party list. CC ID 06815 Operational and Systems Continuity Establish/Maintain Documentation
    Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; § 6.5.3.2 ¶ 1 g)]
    Operational and Systems Continuity Behavior
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806
    [{be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2]
    Human Resources management Establish Roles
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 Human Resources management Establish Roles
    Establish, implement, and maintain a security operations center. CC ID 14762 Human Resources management Human Resources Management
    Define the scope for the security operations center. CC ID 15713 Human Resources management Establish/Maintain Documentation
    Designate an alternate for each organizational leader. CC ID 12053 Human Resources management Human Resources Management
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Human Resources management Behavior
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 Human Resources management Human Resources Management
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
    [The governing body can delegate but still remains accountable for what it has delegated and always remains responsible for the organization as a whole. § 4.2.2 ¶ 1
    The governing body should establish governance policies and ensure that these: clarify the manner in which the governing body itself is to operate and govern the organization; § 6.3.3.1.2 ¶ 1 f)
    {individual}{hold accountable} The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. § 6.5.3.1 ¶ 1
    Governance is exercised throughout the organization by governing groups, including: the governing body; § 4.2.1 ¶ 1 Bullet 2
    At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in this document. § 4.3.1 ¶ 3
    {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. Table 1 Column 4 Row 6
    The governing body should engage with strategic planning by: establishing clarity about its role in the strategic planning process; § 6.3.3.2.1 ¶ 1 a)
    The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. § 6.1.3.4 ¶ 1
    {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. § 6.5.1 ¶ 1
    Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). § 6.7.3.2 ¶ 1 a)]
    Human Resources management Establish Roles
    Establish and maintain board committees, as necessary. CC ID 14789
    [The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)]
    Human Resources management Human Resources Management
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Human Resources management Establish/Maintain Documentation
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources management Human Resources Management
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782
    [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: capacity; § 4.3.1 ¶ 1 Bullet 4
    The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: probity; § 4.3.1 ¶ 1 Bullet 5
    The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: commitment. § 4.3.1 ¶ 1 Bullet 6
    The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: § 4.3.1 ¶ 1]
    Human Resources management Establish/Maintain Documentation
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791
    [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: diversity and inclusion; § 4.3.1 ¶ 1 Bullet 2]
    Human Resources management Establish/Maintain Documentation
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources management Human Resources Management
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources management Human Resources Management
    Assign senior management to the role of authorizing official. CC ID 14238 Human Resources management Establish Roles
    Assign members who are independent from management to the Board of Directors. CC ID 12395
    [The composition and structure of the governing body will vary between organizations. However, the governing body, as a collective, should remain suitably equipped to fulfil its role. Appointments to the governing body should be transparent to stakeholders and consider: independence of thought and action; § 4.3.1 ¶ 1 Bullet 3]
    Human Resources management Human Resources Management
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662
    [The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1
    The governing body should assume accountability for the organization's continual sensing of, and responding to, risk and communicating the chosen approach with relevant stakeholders as necessary (see 6.5.3). § 6.9.3.1 ¶ 1
    To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: oversee the organization's risk management activities. § 6.9.3.1 ¶ 2 c)
    The governing body should oversee the organization's management of risk (see 6.4), ensuring that: § 6.9.3.4 ¶ 1]
    Human Resources management Human Resources Management
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources management Human Resources Management
    Define and assign board committees, as necessary. CC ID 14787 Human Resources management Human Resources Management
    Define and assign risk committees, as necessary. CC ID 14795 Human Resources management Human Resources Management
    Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 Human Resources management Establish/Maintain Documentation
    Define and assign audit committees, as necessary. CC ID 14788 Human Resources management Human Resources Management
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 Human Resources management Human Resources Management
    Define and assign compensation committees, as necessary. CC ID 14793 Human Resources management Human Resources Management
    Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 Human Resources management Establish Roles
    Define and assign the network administrator's roles and responsibilities. CC ID 16363 Human Resources management Human Resources Management
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 Human Resources management Establish Roles
    Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 Human Resources management Human Resources Management
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810 Human Resources management Establish Roles
    Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 Human Resources management Establish Roles
    Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 Human Resources management Human Resources Management
    Define and assign roles and responsibilities for network management. CC ID 13128 Human Resources management Human Resources Management
    Define and assign the technology security leader's roles and responsibilities. CC ID 01897 Human Resources management Establish Roles
    Define and assign the security staff roles and responsibilities. CC ID 11750 Human Resources management Establish/Maintain Documentation
    Define and assign the authorized representatives roles and responsibilities. CC ID 15033 Human Resources management Human Resources Management
    Define and assign the property management leader's roles and responsibilities. CC ID 00669 Human Resources management Establish Roles
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 Human Resources management Establish Roles
    Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 Human Resources management Establish Roles
    Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 Human Resources management Establish Roles
    Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 Human Resources management Establish/Maintain Documentation
    Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 Human Resources management Establish Roles
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources management Human Resources Management
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources management Human Resources Management
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources management Human Resources Management
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources management Human Resources Management
    Assign a contact person to all business units. CC ID 07144 Human Resources management Establish Roles
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Human Resources management Business Processes
    Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 Human Resources management Human Resources Management
    Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 Human Resources management Human Resources Management
    Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 Human Resources management Human Resources Management
    Define and assign workforce roles and responsibilities. CC ID 13267
    ["Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters. The governing body should ensure the clarity of roles and responsibilities of all involved and hold accountable those to whom they delegate. § 4.2.3 ¶ 1]
    Human Resources management Human Resources Management
    Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 Human Resources management Human Resources Management
    Assign roles and responsibilities for physical security, as necessary. CC ID 13113 Human Resources management Establish Roles
    Document the use of external experts. CC ID 16263 Human Resources management Human Resources Management
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660
    [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; § 6.9.3.2 ¶ 2 a)]
    Human Resources management Human Resources Management
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources management Human Resources Management
    Assign the roles and responsibilities for the change control program. CC ID 13118 Human Resources management Human Resources Management
    Identify and define all critical roles. CC ID 00777 Human Resources management Establish Roles
    Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 Human Resources management Establish Roles
    Assign responsibility for cyber threat intelligence. CC ID 12746 Human Resources management Human Resources Management
    Assign the role of security management to applicable controls. CC ID 06444 Human Resources management Establish Roles
    Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 Human Resources management Human Resources Management
    Define and assign the data processor's roles and responsibilities. CC ID 12607 Human Resources management Human Resources Management
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 Human Resources management Human Resources Management
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Human Resources management Communicate
    Define and assign the data controller's roles and responsibilities. CC ID 00471 Human Resources management Establish Roles
    Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 Human Resources management Human Resources Management
    Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 Human Resources management Human Resources Management
    Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 Human Resources management Human Resources Management
    Assign the role of data controller to applicable controls. CC ID 00354 Human Resources management Establish Roles
    Assign the role of data controller to provide advice, when requested. CC ID 12611 Human Resources management Human Resources Management
    Assign the role of data controller to additional personnel, as necessary. CC ID 00473 Human Resources management Establish Roles
    Assign the role of Information Technology operations to applicable controls. CC ID 00682 Human Resources management Establish Roles
    Assign the role of logical access control to applicable controls. CC ID 00772 Human Resources management Establish Roles
    Assign the role of asset physical security to applicable controls. CC ID 00770 Human Resources management Establish Roles
    Assign the role of data custodian to applicable controls. CC ID 04789 Human Resources management Establish Roles
    Assign the role of the Quality Management committee to applicable controls. CC ID 00769 Human Resources management Establish Roles
    Assign interested personnel to the Quality Management committee. CC ID 07193 Human Resources management Establish Roles
    Assign the roles and responsibilities for the asset management system. CC ID 14368 Human Resources management Establish/Maintain Documentation
    Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 Human Resources management Establish Roles
    Assign the role of fire protection management to applicable controls. CC ID 04891 Human Resources management Establish Roles
    Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 Human Resources management Establish Roles
    Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 Human Resources management Establish Roles
    Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 Human Resources management Establish Roles
    Define and assign the roles and responsibilities of security guards. CC ID 12543 Human Resources management Human Resources Management
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626 Human Resources management Human Resources Management
    Define and assign the roles for Legal Support Workers. CC ID 13711 Human Resources management Human Resources Management
    Establish, implement, and maintain a personnel management program. CC ID 14018 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822
    [The governing body should steer the organizational strategy by means of: succession planning for the critical roles in the organization, including emergency succession arrangements; § 6.3.3.2.2 ¶ 2 f)]
    Human Resources management Human Resources Management
    Establish, implement, and maintain a personnel security program. CC ID 10628 Human Resources management Establish/Maintain Documentation
    Assign security clearance procedures to qualified personnel. CC ID 06812 Human Resources management Establish Roles
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Human Resources management Establish Roles
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Human Resources management Establish/Maintain Documentation
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources management Human Resources Management
    Perform a criminal records check during personnel screening. CC ID 06643 Human Resources management Establish/Maintain Documentation
    Include all residences in the criminal records check. CC ID 13306 Human Resources management Process or Activity
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Human Resources management Establish/Maintain Documentation
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources management Human Resources Management
    Perform a credit check during personnel screening. CC ID 06646 Human Resources management Human Resources Management
    Perform an academic records check during personnel screening. CC ID 06647 Human Resources management Establish/Maintain Documentation
    Perform a drug test during personnel screening. CC ID 06648 Human Resources management Testing
    Perform a resume check during personnel screening. CC ID 06659 Human Resources management Human Resources Management
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources management Human Resources Management
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources management Human Resources Management
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Human Resources management Communicate
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources management Human Resources Management
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Human Resources management Establish/Maintain Documentation
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources management Human Resources Management
    Establish and maintain security clearances. CC ID 01634 Human Resources management Human Resources Management
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764
    [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: authority matches the level of responsibility, which includes the autonomy to make and fulfil plans to achieve the agreed outcomes within the established parameters; § 4.2.2 ¶ 2 c)
    Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: the authority matches the level of responsibility associated with the decisions being made; § 6.8.3.2.2 ¶ 1 a)
    Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. § 4.2.2 ¶ 5
    Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: § 6.8.3.2.2 ¶ 1
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Human Resources management Establish Roles
    Delegate authority for specific processes, as necessary. CC ID 06780
    [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: § 4.2.2 ¶ 2
    {be effective} Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder representation. If a governing body makes use of supporting committees, the governing body should ensure that it effectively delegates the necessary responsibilities and authority to such committees. § 4.3.1 ¶ 2
    The governing body should engage with strategic planning by: delegating as necessary; § 6.3.3.2.1 ¶ 1 b)
    The governing body should ensure that effective delegation is practised (see 4.2.2), as this is necessary for accountability. § 6.5.3.1 ¶ 2]
    Human Resources management Behavior
    Implement a staff rotation plan. CC ID 12772 Human Resources management Human Resources Management
    Rotate duties amongst the critical roles and positions. CC ID 06554 Human Resources management Establish Roles
    Place Information Technology operations in a position to support the business model. CC ID 00766 Human Resources management Business Processes
    Review organizational personnel successes. CC ID 00767 Human Resources management Business Processes
    Implement personnel supervisory practices. CC ID 00773 Human Resources management Behavior
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960
    [{be different} The degree of separation of duties between the governing body and managers varies according to organizational needs and circumstances. In certain circumstances, such as an executive member of the governing body, an individual can be required to fulfil both governance and management responsibilities. In such cases, it is important for that person to be able to distinguish when they are fulfilling the different responsibilities and act and behave accordingly. § 4.2.3 ¶ 2]
    Human Resources management Technical Security
    Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779
    [The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations are made to achieve the intended value generation objectives. § 6.6.3 ¶ 1
    The governing body should consider the expectations of relevant stakeholder groups whether the organization is obliged to do so (e.g. member stakeholders, regulators) or whether it chooses to do so (e.g. reference stakeholders). The governing body should ensure that: collaborative relationships with relevant stakeholders are maintained; § 6.6.3 ¶ 3 c)
    Ethical and effective leadership should be demonstrated in three areas: the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. § 6.7.3.1 ¶ 4 c)
    Within the organization's external context: The governing body should ensure that the organization treats stakeholders in a manner consistent with its organizational values. § 6.7.3.3 ¶ 1 c)
    In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2
    {internal context}When setting the strategic outcomes and guiding the organizational strategy, the governing body should consider the organization's internal and external context, including: the quality and nature of stakeholder relationships and effectiveness of stakeholder engagement; § 6.3.3.1.1 ¶ 2 g)
    When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. § 6.6.3 ¶ 2]
    Human Resources management Behavior
    Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806
    [{be fair}{be responsible}{be transparent}The governing body should steer the organizational strategy by means of: the organization's approach to compensation, ensuring that compensation is, and remains, fair, responsible and transparent; § 6.3.3.2.2 ¶ 2 h)]
    Human Resources management Human Resources Management
    Establish and maintain an annual report on compensation. CC ID 14801 Human Resources management Establish/Maintain Documentation
    Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 Human Resources management Establish/Maintain Documentation
    Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 Human Resources management Communicate
    Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 Human Resources management Establish/Maintain Documentation
    Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794
    [The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)]
    Human Resources management Establish/Maintain Documentation
    Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815
    [The governing body should steer the organizational strategy by means of: targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); § 6.3.3.2.2 ¶ 2 i)]
    Human Resources management Human Resources Management
    Establish, implement, and maintain an occupational health and safety management system. CC ID 16201 Human Resources management Business Processes
    Establish, implement, and maintain an occupational health and safety policy. CC ID 00716
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; § 6.8.3.4 ¶ 2 e)]
    Human Resources management Establish/Maintain Documentation
    Involve interested personnel and affected parties in occupational health and safety management system processes. CC ID 16274 Human Resources management Business Processes
    Disseminate and communicate the occupational health and safety policy to interested personnel and affected parties. CC ID 16270 Human Resources management Communicate
    Include a commitment to continuous improvement in the occupational health and safety policy. CC ID 16267 Human Resources management Establish/Maintain Documentation
    Include risks and opportunities in the occupational health and safety policy. CC ID 16287 Human Resources management Establish/Maintain Documentation
    Include management commitment in the occupational health and safety policy. CC ID 16264 Human Resources management Behavior
    Include occupational health and safety objectives in the occupational health and safety policy. CC ID 16262 Human Resources management Establish/Maintain Documentation
    Post evacuation plans and evacuation procedures throughout facilities. CC ID 06073 Human Resources management Establish/Maintain Documentation
    Maintain a 1 to 2 day supply of water and nonperishable food at the facility in case public utilities are interrupted. CC ID 06074 Human Resources management Physical and Environmental Protection
    Install duress alarms in susceptible public areas. CC ID 06075 Human Resources management Physical and Environmental Protection
    Require regular vacations for personnel using restricted information or sensitive information. CC ID 06550 Human Resources management Human Resources Management
    Establish, implement, and maintain health and safety personnel disinfecting procedures. CC ID 06802 Human Resources management Establish/Maintain Documentation
    Provide protective face masks for critical personnel, as necessary. CC ID 06803 Human Resources management Human Resources Management
    Establish, implement, and maintain food preparation procedures. CC ID 06804 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain food handling procedures. CC ID 11765 Human Resources management Establish/Maintain Documentation
    Vaccinate critical employees, as necessary. CC ID 06805 Human Resources management Human Resources Management
    Protect personnel from work-related intimidation. CC ID 07046 Human Resources management Behavior
    Establish, implement, and maintain a travel program for all personnel. CC ID 10597 Human Resources management Human Resources Management
    Establish, implement, and maintain a process to identify any potential health hazards, environmental hazards, or safety hazards, that could affect personnel while traveling internationally. CC ID 06076 Human Resources management Human Resources Management
    Refrain from using gifted mobile devices. CC ID 16460 Human Resources management Acquisition/Sale of Assets or Services
    Refrain from loaning mobile devices to unauthorized personnel. CC ID 15218 Human Resources management Business Processes
    Issue devices with secure configurations to individuals traveling to locations deemed to be of risk. CC ID 10598 Human Resources management Configuration
    Establish, implement, and maintain a conflict of interest policy. CC ID 14785
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: consider its level of independence and the effect this level has on its decision-making, including financial interests, position, associations, relationships, bias and alliances; § 6.8.3.2.1 ¶ 1 c)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: carefully address conflicts of interest when making decisions; § 6.8.3.2.1 ¶ 1 d)
    Disclose actual, potential or perceived conflicts of interest at the earliest opportunity and manage such conflicts appropriately. Table 2 Column 2 Row 2 Bullet 2]
    Human Resources management Establish/Maintain Documentation
    Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 Human Resources management Establish/Maintain Documentation
    Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 Human Resources management Communicate
    Include roles and responsibilities in the conflict of interest policy. CC ID 14790 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a Code of Conduct. CC ID 04897
    [Ethical leadership results in an organizational context and culture that: contributes to the prevention of misconduct; § 6.7.3.3 ¶ 3 Bullet 3
    Act in good faith and in the best interest of the organization. Table 2 Column 2 Row 2 Bullet 1
    {be ethical} Act ethically and in a compliant manner. Table 2 Column 2 Row 2 Bullet 3
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: § 5 ¶ 2 c)
    Ethical leadership results in an organizational context and culture that: provides competitive differentiation for stakeholders by providing clarity against which evaluators can assess the organization's behaviour, decisions and activities; § 6.7.3.3 ¶ 3 Bullet 4
    The governing body should steer the organizational strategy by means of: monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; § 6.3.3.2.2 ¶ 2 b)]
    Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a code of conduct for financial recommendations. CC ID 16649 Human Resources management Establish/Maintain Documentation
    Include anti-coercion requirements and anti-tying requirements in the Code of Conduct. CC ID 16720 Human Resources management Establish/Maintain Documentation
    Include limitations on referrals for products and services in the Code of Conduct. CC ID 16719 Human Resources management Behavior
    Include classifications of ethics violations in the Code of Conduct. CC ID 14769 Human Resources management Establish/Maintain Documentation
    Include definitions of ethics violations in the Code of Conduct. CC ID 14768 Human Resources management Establish/Maintain Documentation
    Include exercising due professional care in the Code of Conduct. CC ID 14210
    [Act with due care, skill, diligence and loyalty, and take reasonable steps to become informed about particular matters for decision-making. Table 2 Column 2 Row 3 Bullet 2
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Human Resources management Establish/Maintain Documentation
    Include health and safety provisions in the Code of Conduct. CC ID 16206 Human Resources management Establish/Maintain Documentation
    Include organizational values in the Code of Conduct. CC ID 12919
    [Within the organization: The governing body should ensure that the organization conducts itself in a manner consistent with its organizational values. § 6.7.3.3 ¶ 1 b)
    Laws and rules provide the minimum set of organizational values against which behaviour is assessed. Other organizational values (see 6.1) are provided in collectively agreed documents such as a code of conduct, code of ethics or standards of behaviour. The following are examples of the leadership values to which governing bodies, and the individuals comprising them, are held: § 6.7.3.3 ¶ 2
    Having defined the organizational values, the governing body should ensure that these organizational values are being demonstrated and are an active part of decision-making. The governing body should use these organizational values to determine the manner in which the organizational purpose is to be pursued and the value generation objectives are to be achieved (see 6.2). The governing body remains responsible for ensuring that the organizational values are monitored and reviewed, and should assess whether the organizational values remain aligned to, and support, the organizational purpose. The effectiveness of the organizational values will be evident in the culture of the organization. § 6.1.3.3 ¶ 2
    Furthermore, the governing body, and its members, should demonstrate commitment to the organizational purpose and values by leading the organization to fulfil its organizational purpose and behaving in accordance with the organizational values. § 6.1.3.4 ¶ 3]
    Human Resources management Process or Activity
    Include key policies in the Code of Conduct. CC ID 12890 Human Resources management Establish/Maintain Documentation
    Include responsibilities to the public trust in the Code of Conduct. CC ID 14209 Human Resources management Establish/Maintain Documentation
    Include the vision statement in the Code of Conduct. CC ID 12889 Human Resources management Establish/Maintain Documentation
    Include the organization's mission in the Code of Conduct. CC ID 12875 Human Resources management Establish/Maintain Documentation
    Include classifications of desired conduct in the Code of Conduct. CC ID 12851 Human Resources management Establish/Maintain Documentation
    Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 Human Resources management Human Resources Management
    Include environmental responsibility criteria in the Code of Conduct. CC ID 16209 Human Resources management Establish/Maintain Documentation
    Include social responsibility criteria in the Code of Conduct. CC ID 16210 Human Resources management Establish/Maintain Documentation
    Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment. CC ID 04580 Human Resources management Establish/Maintain Documentation
    Include labor rights criteria in the Code of Conduct. CC ID 16208 Human Resources management Establish/Maintain Documentation
    Include the employee's legal responsibilities and rights in the Terms and Conditions of employment. CC ID 15701 Human Resources management Establish/Maintain Documentation
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 Human Resources management Communicate
    Include definitions of desirable conduct in the Code of Conduct. CC ID 12846 Human Resources management Establish/Maintain Documentation
    Include notification procedures for allegations of undesirable conduct in the Code of Conduct. CC ID 12855 Human Resources management Establish/Maintain Documentation
    Include procedures to identify positive outcomes in the Code of Conduct. CC ID 12854 Human Resources management Establish/Maintain Documentation
    Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 Human Resources management Behavior
    Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. CC ID 06664 Human Resources management Establish/Maintain Documentation
    Require all personnel to re-sign the Code of Conduct, as necessary. CC ID 06666 Human Resources management Establish/Maintain Documentation
    Include the information security responsibilities of employees in their performance objectives. CC ID 15700 Human Resources management Human Resources Management
    Include information security responsibilities in performance reviews. CC ID 15697 Human Resources management Establish/Maintain Documentation
    Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799 Human Resources management Human Resources Management
    Establish, implement, and maintain an ethics program. CC ID 11496
    [When defining the organizational values, the governing body should ensure that: it is clear what ethical behaviour is expected as a result of the organizational values; § 6.1.3.3 ¶ 1 b)
    Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; § 6.1.3.2 ¶ 1 b)
    The governing body should ensure ethical leadership across all areas. § 6.7.3.3 ¶ 1]
    Human Resources management Human Resources Management
    Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858
    [Disclose actual, potential or perceived conflicts of interest at the earliest opportunity and manage such conflicts appropriately. Table 2 Column 2 Row 2 Bullet 2]
    Human Resources management Communicate
    Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908
    [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: competence and probity in the manner in which it makes decisions. § 5 ¶ 2 c) 5)]
    Human Resources management Behavior
    Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 Human Resources management Investigate
    Establish, implement, and maintain an ethical culture. CC ID 12781
    [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: an ethical culture; § 5 ¶ 2 c) 1)
    Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: fairness in the treatment of, and engagement with, stakeholders; § 5 ¶ 2 c) 3)]
    Human Resources management Behavior
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Human Resources management Monitor and Evaluate Occurrences
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872
    [Ethical behaviour — The organization behaves in accordance with accepted principles of right or good conduct in the context of a particular situation and in a manner consistent with international norms of behaviour, including demonstrating: integrity and transparency in fulfilling its obligations, and commitments; § 5 ¶ 2 c) 4)
    When defining the organizational values, the governing body should ensure that: the expected ethical behaviour can be assessed; § 6.1.3.3 ¶ 1 c)]
    Human Resources management Monitor and Evaluate Occurrences
    Refrain from practicing false advertising. CC ID 14253 Human Resources management Business Processes
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806
    [To ensure that the organization is acting in a socially responsible way, the governing body should: steer the organization such that its decision-making and activities are consistent with the organizational purpose, organizational values and governance policies, including considering how stakeholders can report a breach in behaviour (e.g. via whistleblowing); § 6.10.3 ¶ 1 f)
    Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5]
    Human Resources management Business Processes
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Human Resources management Communicate
    Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 Human Resources management Establish/Maintain Documentation
    Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 Human Resources management Behavior
    Refrain from discriminating against employees who are whistleblowers. CC ID 13609 Human Resources management Behavior
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 Human Resources management Behavior
    Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 Human Resources management Human Resources Management
    Include prohibiting counterfeiting in the ethics program. CC ID 11517 Human Resources management Human Resources Management
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources management Human Resources Management
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 Human Resources management Establish Roles
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 Human Resources management Behavior
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 Human Resources management Behavior
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 Human Resources management Behavior
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
    [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b)
    {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2
    Therefore, the governing body should: govern for organizational viability over time. § 6.11.3.1 ¶ 2 c)]
    Operational management Establish/Maintain Documentation
    Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 Operational management Establish/Maintain Documentation
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: decisions, actions, performance and improvements; § 6.5.3.2 ¶ 1 b) 1)]
    Operational management Behavior
    Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 Operational management Establish/Maintain Documentation
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861
    [The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes and maintains adequate resourcing; § 6.9.3.2 ¶ 2 f)]
    Operational management Acquisition/Sale of Assets or Services
    Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853
    [Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving governance environment. § 4.3.2 ¶ 1
    The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. § 6.3.3.1.2 ¶ 4
    {individual} The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. § 6.3.3.1.2 ¶ 3
    The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)]
    Operational management Establish/Maintain Documentation
    Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 Operational management Process or Activity
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; § 6.4.3.2 ¶ 1 i)]
    Operational management Process or Activity
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 Operational management Audits and Risk Management
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523
    ["Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about fulfilling the associated objectives by making choices within those parameters. The governing body should ensure the clarity of roles and responsibilities of all involved and hold accountable those to whom they delegate. § 4.2.3 ¶ 1
    Governance is exercised throughout the organization by governing groups, including: § 4.2.1 ¶ 1
    Governance is exercised throughout the organization by governing groups, including: member stakeholders; § 4.2.1 ¶ 1 Bullet 1
    Governance is exercised throughout the organization by governing groups, including: managers; § 4.2.1 ¶ 1 Bullet 3
    Governance is exercised throughout the organization by governing groups, including: other internal functions of the organization. § 4.2.1 ¶ 1 Bullet 4
    {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. Table 1 Column 4 Row 6
    The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. § 6.3.3.1.2 ¶ 4
    {individual} The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. § 6.3.3.1.2 ¶ 3
    Accountable people can delegate to others. However, it should be made clear that those who delegate remain accountable for their delegate's use of that authority. § 4.2.2 ¶ 4
    {individual}{hold accountable} The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. § 6.5.1 ¶ 1
    {hold accountable}{individual} The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairness and transparency. § 6.5.3.3 ¶ 1]
    Operational management Human Resources Management
    Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 Operational management Human Resources Management
    Establish, implement, and maintain a compliance policy. CC ID 14807 Operational management Establish/Maintain Documentation
    Include the standard of conduct and accountability in the compliance policy. CC ID 14813
    [{refrain from holding accountable}{do not}{individual} No one should be held accountable for matters over which they have no authority or for which expectations have not been stated or agreed. § 4.2.2 ¶ 3
    Governance of organizations is a human-based system by which an organization is directed, overseen and held accountable for achieving its defined organizational purpose. At its core this includes: demonstrating accountability for this performance and behaviour. § 4.1 ¶ 3 e)]
    Operational management Establish/Maintain Documentation
    Include the scope in the compliance policy. CC ID 14812 Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the compliance policy. CC ID 14811 Operational management Establish/Maintain Documentation
    Include a commitment to continual improvement in the compliance policy. CC ID 14810 Operational management Establish/Maintain Documentation
    Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 Operational management Communicate
    Include management commitment in the compliance policy. CC ID 14808 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a governance policy. CC ID 15587
    [The governing body should establish governance policies and ensure that these: § 6.3.3.1.2 ¶ 1
    The governing body should ensure that the governance policies are effectively applied across the organization and that they achieve the governing body's intentions. § 6.3.3.1.2 ¶ 2
    The governing body should ensure that the organizational risk framework, in respect to the management of risk: positions risk as a key consideration in the setting of governance policies (see 6.3); § 6.9.3.2 ¶ 2 c)
    The governing body should establish governance policies and ensure that these: are regularly reviewed, and updated as necessary, to ensure that they remain aligned with the organization's constituting documents, and the organization's changing context, and are based on relevant guidance and best practices such as standards and codes. § 6.3.3.1.2 ¶ 1 h)
    The governing body should establish governance policies and ensure that these: clarify the governing body's intentions and expectations with respect to the organizational purpose, organizational values and the organization's value generation objectives; § 6.3.3.1.2 ¶ 1 a)
    {internal context}The governing body should steer the organizational strategy by means of: governance policies, to ensure that they remain aligned with the organization's changing internal and external context and are current with common or best practice; § 6.3.3.2.2 ¶ 2 d)
    The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; § 6.8.3.4 ¶ 2 d)]
    Operational management Establish/Maintain Documentation
    Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: describe the organizational purpose, organizational values, value generation model, organizational strategy and associated governance policies; § 6.5.3.2 ¶ 1 a)]
    Operational management Communicate
    Include a commitment to continuous improvement in the governance policy. CC ID 15595
    [The governing body should establish governance policies and ensure that these: address the governing body's own commitment to continual improvement; § 6.3.3.1.2 ¶ 1 g)]
    Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the governance policy. CC ID 15594
    [The governing body should establish governance policies and ensure that these: provide guidance on what, rather than detailing how, responsibilities are to be fulfilled; § 6.3.3.1.2 ¶ 1 d)
    The governing body should establish governance policies and ensure that these: define the structures (e.g. committees) and roles involved in the governance of the organization, including their authority, responsibilities, performance and reporting requirements; § 6.3.3.1.2 ¶ 1 c)
    The governing body should establish governance policies and ensure that these: clarify delegations within the organization, including in relation to the strategy process; § 6.3.3.1.2 ¶ 1 b)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a positive information control environment. CC ID 00813
    [The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. § 6.7.1 ¶ 1
    Ethical and effective leadership should be demonstrated in three areas: § 6.7.3.1 ¶ 4
    The governing body should demonstrate effective leadership across all areas. § 6.7.3.2 ¶ 1
    The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. Table 1 Column 4 Row 8
    In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2
    Ethical leadership results in an organizational context and culture that: provides increased certainty, which in turn, creates reputational value. § 6.7.3.3 ¶ 3 Bullet 5
    {be responsible}{be ethical} The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. § 6.8.3.1 ¶ 2
    {be ethical}New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: data are used ethically; § 6.8.3.4 ¶ 1 Bullet 1
    The governing body should ensure that the organizational risk framework, in respect to the management of risk: establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; § 6.9.3.2 ¶ 2 a)
    Ethical leadership results in an organizational context and culture that: assists in reconciling strategic dilemmas by creating organizational alignment through the integration of opposites; § 6.7.3.3 ¶ 3 Bullet 2
    Ethical leadership results in an organizational context and culture that: provides the individuals of an organization with a collective sense of belonging; § 6.7.3.3 ¶ 3 Bullet 1]
    Operational management Business Processes
    Make compliance and governance decisions in a timely manner. CC ID 06490 Operational management Behavior
    Establish, implement, and maintain an internal control framework. CC ID 00820
    [To exercise effective oversight, the governing body should: ensure that an internal control system is implemented, including a risk management system, a compliance management system and a system of financial controls; § 6.4.3.1 ¶ 1 b)
    {be adequate} The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This organizational governance framework should ensure that decision-makers have appropriate authority, competence and resources for the responsibilities given to them. Effective delegation and transparent decision-making empower personnel to act appropriately, resulting in a more resilient and agile organization. Controls and subsequent improvement actions should be planned and implemented to ensure that the governance system remains adequate for the organization's purpose. § 4.2.1 ¶ 2]
    Operational management Establish/Maintain Documentation
    Define the scope for the internal control framework. CC ID 16325 Operational management Business Processes
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Operational management Establish Roles
    Assign resources to implement the internal control framework. CC ID 00816
    [When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: required resources are available; § 4.2.2 ¶ 2 b)
    The governing body should steer the organizational strategy by means of: decision-making, specifically, the strategic deployment of resources. § 6.3.3.2.2 ¶ 2 j)
    {procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)]
    Operational management Business Processes
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: § 6.8.3.2.2 ¶ 1]
    Operational management Establish Roles
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415
    [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)]
    Operational management Business Processes
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Operational management Establish/Maintain Documentation
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Operational management Establish/Maintain Documentation
    Leverage actionable information to support internal controls. CC ID 12414 Operational management Business Processes
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 Operational management Establish/Maintain Documentation
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Operational management Establish/Maintain Documentation
    Include threat assessment in the internal control framework. CC ID 01347 Operational management Establish/Maintain Documentation
    Automate threat assessments, as necessary. CC ID 06877 Operational management Configuration
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102
    [The governing body should establish governance policies and ensure that these: set expectations for internal controls, compliance, risk management and risk taking; § 6.3.3.1.2 ¶ 1 e)]
    Operational management Establish/Maintain Documentation
    Automate vulnerability management, as necessary. CC ID 11730 Operational management Configuration
    Include personnel security procedures in the internal control framework. CC ID 01349 Operational management Establish/Maintain Documentation
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Operational management Establish/Maintain Documentation
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Operational management Establish/Maintain Documentation
    Include security information sharing procedures in the internal control framework. CC ID 06489 Operational management Establish/Maintain Documentation
    Share security information with interested personnel and affected parties. CC ID 11732 Operational management Communicate
    Evaluate information sharing partners, as necessary. CC ID 12749 Operational management Process or Activity
    Include security incident response procedures in the internal control framework. CC ID 01359 Operational management Establish/Maintain Documentation
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Operational management Establish/Maintain Documentation
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Operational management Establish/Maintain Documentation
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Operational management Establish/Maintain Documentation
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Operational management Communicate
    Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 Operational management Communicate
    Establish, implement, and maintain a cybersecurity policy. CC ID 16833 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an information security program. CC ID 00812
    [The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: the implementation of a risk-based information security management system (ISMS); § 6.8.3.4 ¶ 2 b)]
    Operational management Establish/Maintain Documentation
    Include physical safeguards in the information security program. CC ID 12375 Operational management Establish/Maintain Documentation
    Include technical safeguards in the information security program. CC ID 12374 Operational management Establish/Maintain Documentation
    Include administrative safeguards in the information security program. CC ID 12373 Operational management Establish/Maintain Documentation
    Include system development in the information security program. CC ID 12389 Operational management Establish/Maintain Documentation
    Include system maintenance in the information security program. CC ID 12388 Operational management Establish/Maintain Documentation
    Include system acquisition in the information security program. CC ID 12387 Operational management Establish/Maintain Documentation
    Include access control in the information security program. CC ID 12386 Operational management Establish/Maintain Documentation
    Include operations management in the information security program. CC ID 12385 Operational management Establish/Maintain Documentation
    Include communication management in the information security program. CC ID 12384 Operational management Establish/Maintain Documentation
    Include environmental security in the information security program. CC ID 12383 Operational management Establish/Maintain Documentation
    Include physical security in the information security program. CC ID 12382 Operational management Establish/Maintain Documentation
    Include human resources security in the information security program. CC ID 12381 Operational management Establish/Maintain Documentation
    Include asset management in the information security program. CC ID 12380 Operational management Establish/Maintain Documentation
    Include a continuous monitoring program in the information security program. CC ID 14323 Operational management Establish/Maintain Documentation
    Include change management procedures in the continuous monitoring plan. CC ID 16227 Operational management Establish/Maintain Documentation
    include recovery procedures in the continuous monitoring plan. CC ID 16226 Operational management Establish/Maintain Documentation
    Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 Operational management Establish/Maintain Documentation
    Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 Operational management Establish/Maintain Documentation
    Include how the information security department is organized in the information security program. CC ID 12379 Operational management Establish/Maintain Documentation
    Include risk management in the information security program. CC ID 12378 Operational management Establish/Maintain Documentation
    Include mitigating supply chain risks in the information security program. CC ID 13352 Operational management Establish/Maintain Documentation
    Provide management direction and support for the information security program. CC ID 11999 Operational management Process or Activity
    Monitor and review the effectiveness of the information security program. CC ID 12744 Operational management Monitor and Evaluate Occurrences
    Establish, implement, and maintain an information security policy. CC ID 11740 Operational management Establish/Maintain Documentation
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Business Processes
    Include business processes in the information security policy. CC ID 16326 Operational management Establish/Maintain Documentation
    Include the information security strategy in the information security policy. CC ID 16125 Operational management Establish/Maintain Documentation
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the information security policy. CC ID 16120 Operational management Establish/Maintain Documentation
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Establish/Maintain Documentation
    Include information security objectives in the information security policy. CC ID 13493 Operational management Establish/Maintain Documentation
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Establish/Maintain Documentation
    Include notification procedures in the information security policy. CC ID 16842 Operational management Establish/Maintain Documentation
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Operational management Process or Activity
    Establish, implement, and maintain information security procedures. CC ID 12006 Operational management Business Processes
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Operational management Establish/Maintain Documentation
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Operational management Communicate
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Operational management Establish/Maintain Documentation
    Define thresholds for approving information security activities in the information security program. CC ID 15702 Operational management Process or Activity
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Operational management Establish Roles
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Operational management Human Resources Management
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Operational management Establish/Maintain Documentation
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Operational management Human Resources Management
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Operational management Communicate
    Establish, implement, and maintain a social media governance program. CC ID 06536 Operational management Establish/Maintain Documentation
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Operational management Business Processes
    Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 Operational management Business Processes
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Operational management Behavior
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Operational management Establish/Maintain Documentation
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Operational management Establish/Maintain Documentation
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain operational control procedures. CC ID 00831 Operational management Establish/Maintain Documentation
    Include assigning and approving operations in operational control procedures. CC ID 06382 Operational management Establish/Maintain Documentation
    Include startup processes in operational control procedures. CC ID 00833 Operational management Establish/Maintain Documentation
    Include change control processes in the operational control procedures. CC ID 16793 Operational management Establish/Maintain Documentation
    Establish and maintain a data processing run manual. CC ID 00832 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Operational management Establish/Maintain Documentation
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Operational management Process or Activity
    Include metrics in the standard operating procedures manual. CC ID 14988 Operational management Establish/Maintain Documentation
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Operational management Establish/Maintain Documentation
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Operational management Establish/Maintain Documentation
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Operational management Establish/Maintain Documentation
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Operational management Establish/Maintain Documentation
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Operational management Establish/Maintain Documentation
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Operational management Establish/Maintain Documentation
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Operational management Establish/Maintain Documentation
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Operational management Establish/Maintain Documentation
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Operational management Establish/Maintain Documentation
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Operational management Establish/Maintain Documentation
    Include contact details in the standard operating procedures manual. CC ID 14962 Operational management Establish/Maintain Documentation
    Include information sharing procedures in standard operating procedures. CC ID 12974 Operational management Records Management
    Establish, implement, and maintain information sharing agreements. CC ID 15645 Operational management Business Processes
    Provide support for information sharing activities. CC ID 15644 Operational management Process or Activity
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Operational management Business Processes
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Operational management Communicate
    Establish, implement, and maintain a job scheduling methodology. CC ID 00834 Operational management Establish/Maintain Documentation
    Establish and maintain a job schedule exceptions list. CC ID 00835 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a data processing continuity plan. CC ID 00836 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Operational management Establish/Maintain Documentation
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Operational management Establish/Maintain Documentation
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894
    [New technology brings an increase in the volume and value of data, and a responsibility for governing bodies to ensure that: sensitive data are protected and secured. § 6.8.3.4 ¶ 1 Bullet 3]
    Operational management Establish/Maintain Documentation
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Operational management Establish/Maintain Documentation
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Operational management Establish/Maintain Documentation
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Operational management Establish/Maintain Documentation
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Operational management Establish/Maintain Documentation
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Operational management Establish/Maintain Documentation
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Operational management Establish/Maintain Documentation
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Operational management Establish/Maintain Documentation
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Operational management Establish/Maintain Documentation
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Operational management Establish/Maintain Documentation
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Establish/Maintain Documentation
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Establish/Maintain Documentation
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Operational management Technical Security
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Operational management Establish/Maintain Documentation
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Data and Information Management
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Operational management Establish/Maintain Documentation
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Operational management Establish/Maintain Documentation
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Operational management Establish/Maintain Documentation
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Operational management Establish/Maintain Documentation
    Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 Operational management Establish/Maintain Documentation
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Operational management Establish/Maintain Documentation
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Operational management Establish/Maintain Documentation
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Operational management Communicate
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Operational management Establish/Maintain Documentation
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Operational management Business Processes
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 Operational management Establish/Maintain Documentation
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Operational management Establish/Maintain Documentation
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Operational management Establish/Maintain Documentation
    Identify the sender in all electronic messages. CC ID 13996 Operational management Data and Information Management
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain nondisclosure agreements. CC ID 04536 Operational management Establish/Maintain Documentation
    Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 Operational management Communicate
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Operational management Establish/Maintain Documentation
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a use of information agreement. CC ID 06215 Operational management Establish/Maintain Documentation
    Include use limitations in the use of information agreement. CC ID 06244 Operational management Establish/Maintain Documentation
    Include disclosure requirements in the use of information agreement. CC ID 11735 Operational management Establish/Maintain Documentation
    Include information recipients in the use of information agreement. CC ID 06245 Operational management Establish/Maintain Documentation
    Include reporting out of scope use of information in the use of information agreement. CC ID 06246 Operational management Establish/Maintain Documentation
    Include disclosure of information in the use of information agreement. CC ID 11830 Operational management Establish/Maintain Documentation
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 Operational management Establish/Maintain Documentation
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 Operational management Establish/Maintain Documentation
    Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 Operational management Establish/Maintain Documentation
    Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 Operational management Establish/Maintain Documentation
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818
    [Table 1 describes the structure of the governance principles and lists the principles associated with each category. All principles should be applied, and applied concurrently. § 5 ¶ 3
    Governing bodies should ensure that they realize the described governance outcomes through intentionally implementing the practices. § 5 ¶ 6]
    Operational management Business Processes
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: limits of the decision-making authority are applied based on the associated level of risk, in particular where automated decision-making is used; § 6.8.3.2.2 ¶ 1 b)
    Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. § 4.2.2 ¶ 5]
    Operational management Process or Activity
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Operational management Process or Activity
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818
    [To ensure that the organization fulfils the organizational purpose and achieves the intended strategic outcomes, the governing body should: set the tone for the organization with respect to how the management of risk is to be approached; § 6.9.3.1 ¶ 2 a)
    To ensure that the organization is acting in a socially responsible way, the governing body should: assess how actions of individual members of the governing body influence social responsibility. § 6.10.3 ¶ 1 i)
    In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. § 6.7.3.1 ¶ 2
    Set the tone for the organization by behaving in the manner in which the organization and its personnel are expected to behave. Table 2 Column 2 Row 2 Bullet 4
    The governing body should steer the organizational strategy by means of: the organizational culture, including the cultural tone the governing body sets through its ethos; § 6.3.3.2.2 ¶ 2 a)]
    Operational management Process or Activity
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817
    [Ethical and effective leadership should be demonstrated in three areas: the functioning of the governing body; § 6.7.3.1 ¶ 4 a)
    The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: pay attention to the dynamics of the governing body, including, for example, undue reliance on any one member for decision-making; § 6.8.3.2.1 ¶ 1 e)
    The governing body should steer the organizational strategy by means of: the composition and functioning of the governing body itself, and its committees, ensuring they are continually able to understand and meet the changing needs of the organization (see 4.3.2), including recommending ways for closing anticipated gaps; § 6.3.3.2.2 ¶ 2 c)]
    Operational management Process or Activity
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816
    [The governing body should: assess its own competence, structures and processes, including drawing on the support of experienced, independent professionals, with respect to, for example, the adequacy of its effectiveness, efficiency, composition and its member succession plans; § 4.3.2 ¶ 2 d)]
    Operational management Process or Activity
    Analyze the organizational culture. CC ID 12899 Operational management Process or Activity
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Operational management Behavior
    Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 Operational management Business Processes
    Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 Operational management Business Processes
    Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 Operational management Business Processes
    Include skill development in the analysis of the organizational culture. CC ID 12913 Operational management Behavior
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Operational management Behavior
    Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 Operational management Business Processes
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Operational management Behavior
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Operational management Behavior
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: meet compliance obligations; § 6.5.3.2 ¶ 1 d)
    Effective performance — The organization: remains in alignment with its policies and relevant stakeholder expectations. § 5 ¶ 2 a) 4)]
    Operational management Establish/Maintain Documentation
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788
    [In doing so, the governing body provides indications of the organization's governance maturity, among other insights. § 5 ¶ 8
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: § 6.4.3.3 ¶ 1
    To provide effective oversight of the organization, in addition to the reports it receives from those to whom they have delegated, the governing body should assure itself that the governance system is appropriately designed and operating as intended. If the governing body cannot assure itself directly, then it should utilize additional means of independent assurance. The governing body should: demonstrate its commitment to assurance and communicate appropriately and clearly, throughout the organization, about its assurance system. § 6.4.3.3 ¶ 1 g)]
    Operational management Communicate
    Review systems for compliance with organizational information security policies. CC ID 12004 Operational management Business Processes
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815
    [{individual}{hold accountable} The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. § 6.5.3.1 ¶ 1
    To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: provide information about the governing body itself, including: § 6.5.3.2 ¶ 1 b)
    Finally, the governing body should report honestly and transparently to relevant stakeholders on the organizational governance framework. This includes reporting: § 5 ¶ 7]
    Operational management Behavior
    Establish, implement, and maintain an Asset Management program. CC ID 06630
    [Responsible stewardship — The organization: makes use of resources in a responsible manner; § 5 ¶ 2 b) 1)
    {procedure}The governing body should ensure that it sets parameters, within which the value generation objectives are to be achieved. These parameters should ensure that the organization: defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; § 6.2.3.3 ¶ 1 b)]
    Operational management Business Processes
    Establish, implement, and maintain an asset management policy. CC ID 15219 Operational management Establish/Maintain Documentation
    Include coordination amongst entities in the asset management policy. CC ID 16424 Operational management Business Processes
    Establish, implement, and maintain asset management procedures. CC ID 16748 Operational management Establish/Maintain Documentation
    Assign an information owner to organizational assets, as necessary. CC ID 12729 Operational management Human Resources Management
    Define and prioritize the importance of each asset in the asset management program. CC ID 16837 Operational management Business Processes
    Include life cycle requirements in the security management program. CC ID 16392 Operational management Establish/Maintain Documentation
    Include program objectives in the asset management program. CC ID 14413 Operational management Establish/Maintain Documentation
    Include a commitment to continual improvement in the asset management program. CC ID 14412 Operational management Establish/Maintain Documentation
    Include compliance with applicable requirements in the asset management program. CC ID 14411 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain administrative controls over all assets. CC ID 16400 Operational management Business Processes
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Operational management Establish/Maintain Documentation
    Apply security controls to each level of the information classification standard. CC ID 01903 Operational management Systems Design, Build, and Implementation
    Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 Operational management Establish/Maintain Documentation
    Define confidentiality controls. CC ID 01908 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the systems' availability level. CC ID 01905 Operational management Establish/Maintain Documentation
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Operational management Process or Activity
    Define integrity controls. CC ID 01909 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the systems' integrity level. CC ID 01906 Operational management Establish/Maintain Documentation
    Define availability controls. CC ID 01911 Operational management Establish/Maintain Documentation
    Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 Operational management Establish/Maintain Documentation
    Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 Operational management Communicate
    Classify assets according to the Asset Classification Policy. CC ID 07186 Operational management Establish Roles
    Classify virtual systems by type and purpose. CC ID 16332 Operational management Business Processes
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 Operational management Establish/Maintain Documentation
    Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 Operational management Establish Roles
    Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 Operational management Configuration
    Assign decomposed system components the same asset classification as the originating system. CC ID 06605 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an asset inventory. CC ID 06631 Operational management Business Processes
    Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 Operational management Establish/Maintain Documentation
    Include all account types in the Information Technology inventory. CC ID 13311 Operational management Establish/Maintain Documentation
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 Operational management Systems Design, Build, and Implementation
    Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 Operational management Data and Information Management
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Operational management Establish/Maintain Documentation
    Categorize all major applications according to the business information they process. CC ID 07182 Operational management Establish/Maintain Documentation
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Operational management Establish/Maintain Documentation
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Operational management Establish/Maintain Documentation
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Operational management Establish/Maintain Documentation
    Conduct environmental surveys. CC ID 00690 Operational management Physical and Environmental Protection
    Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a hardware asset inventory. CC ID 00691 Operational management Establish/Maintain Documentation
    Include network equipment in the Information Technology inventory. CC ID 00693 Operational management Establish/Maintain Documentation
    Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 Operational management Establish/Maintain Documentation
    Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 Operational management Process or Activity
    Include software in the Information Technology inventory. CC ID 00692 Operational management Establish/Maintain Documentation
    Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 Operational management Establish/Maintain Documentation
    Add inventoried assets to the asset register database, as necessary. CC ID 07051 Operational management Establish/Maintain Documentation
    Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 Operational management Establish/Maintain Documentation
    Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 Operational management Technical Security
    Link the authentication system to the asset inventory. CC ID 13718 Operational management Technical Security
    Record a unique name for each asset in the asset inventory. CC ID 16305 Operational management Data and Information Management
    Record the decommission date for applicable assets in the asset inventory. CC ID 14920 Operational management Establish/Maintain Documentation
    Record the status of information systems in the asset inventory. CC ID 16304 Operational management Data and Information Management
    Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 Operational management Data and Information Management
    Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 Operational management Establish/Maintain Documentation
    Include source code in the asset inventory. CC ID 14858 Operational management Records Management
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Operational management Human Resources Management
    Record the review date for applicable assets in the asset inventory. CC ID 14919 Operational management Establish/Maintain Documentation
    Record software license information for each asset in the asset inventory. CC ID 11736 Operational management Data and Information Management
    Record services for applicable assets in the asset inventory. CC ID 13733 Operational management Establish/Maintain Documentation
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Operational management Establish/Maintain Documentation
    Record the software version in the asset inventory. CC ID 12196 Operational management Establish/Maintain Documentation
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Operational management Establish/Maintain Documentation
    Record the authentication system in the asset inventory. CC ID 13724 Operational management Establish/Maintain Documentation
    Tag unsupported assets in the asset inventory. CC ID 13723 Operational management Establish/Maintain Documentation
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Operational management Establish/Maintain Documentation
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Operational management Establish/Maintain Documentation
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Operational management Establish/Maintain Documentation
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Operational management Establish/Maintain Documentation
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Operational management Establish/Maintain Documentation
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Operational management Establish/Maintain Documentation
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Operational management Data and Information Management
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Operational management Establish/Maintain Documentation
    Record rooms at external locations in the asset inventory. CC ID 16302 Operational management Data and Information Management
    Record the department associated with the asset in the asset inventory. CC ID 12084 Operational management Establish/Maintain Documentation
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Operational management Establish/Maintain Documentation
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Operational management Establish/Maintain Documentation
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Operational management Establish/Maintain Documentation
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Operational management Establish/Maintain Documentation
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Operational management Establish/Maintain Documentation
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Operational management Establish/Maintain Documentation
    Record trusted keys and certificates in the asset inventory. CC ID 15486 Operational management Data and Information Management
    Record cipher suites and protocols in the asset inventory. CC ID 15489 Operational management Data and Information Management
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Operational management Establish/Maintain Documentation
    Record the owner for applicable assets in the asset inventory. CC ID 06640 Operational management Establish/Maintain Documentation
    Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 Operational management Establish/Maintain Documentation
    Record all changes to assets in the asset inventory. CC ID 12190 Operational management Establish/Maintain Documentation
    Record cloud service derived data in the asset inventory. CC ID 13007 Operational management Establish/Maintain Documentation
    Include cloud service customer data in the asset inventory. CC ID 13006 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a software accountability policy. CC ID 00868 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain software asset management procedures. CC ID 00895 Operational management Establish/Maintain Documentation
    Prevent users from disabling required software. CC ID 16417 Operational management Technical Security
    Establish, implement, and maintain software archives procedures. CC ID 00866 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain software distribution procedures. CC ID 00894 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain software license management procedures. CC ID 06639 Operational management Establish/Maintain Documentation
    Automate software license monitoring, as necessary. CC ID 07057 Operational management Monitor and Evaluate Occurrences
    Establish, implement, and maintain digital legacy procedures. CC ID 16524 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a system redeployment program. CC ID 06276 Operational management Establish/Maintain Documentation
    Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 Operational management Behavior
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Operational management Data and Information Management
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Operational management Acquisition/Sale of Assets or Services
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Operational management Establish/Maintain Documentation
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a system disposal program. CC ID 14431 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain disposal procedures. CC ID 16513 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain asset sanitization procedures. CC ID 16511 Operational management Establish/Maintain Documentation
    Destroy systems in accordance with the system disposal program. CC ID 16457 Operational management Business Processes
    Approve the release of systems and waste material into the public domain. CC ID 16461 Operational management Business Processes
    Establish, implement, and maintain system destruction procedures. CC ID 16474 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a system preventive maintenance program. CC ID 00885
    [The organization's viability and performance over time depends on the resilience of natural environmental, social and economic systems in which the organization operates. The resilience of these systems benefits from governing body decisions when such decisions consider: actively contribute to conserving and restoring these systems. § 6.11.3.1 ¶ 1 Bullet 2]
    Operational management Establish/Maintain Documentation
    Establish and maintain maintenance reports. CC ID 11749 Operational management Establish/Maintain Documentation
    Establish and maintain system inspection reports. CC ID 06346 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Operational management Establish/Maintain Documentation
    Include compliance requirements in the system maintenance policy. CC ID 14217 Operational management Establish/Maintain Documentation
    Include management commitment in the system maintenance policy. CC ID 14216 Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Operational management Establish/Maintain Documentation
    Include the scope in the system maintenance policy. CC ID 14214 Operational management Establish/Maintain Documentation
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Operational management Communicate
    Include the purpose in the system maintenance policy. CC ID 14187 Operational management Establish/Maintain Documentation
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Operational management Establish/Maintain Documentation
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Operational management Communicate
    Establish, implement, and maintain a technology refresh plan. CC ID 13061 Operational management Establish/Maintain Documentation
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Operational management Physical and Environmental Protection
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Operational management Behavior
    Use system components only when third party support is available. CC ID 10644 Operational management Maintenance
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Operational management Maintenance
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Operational management Business Processes
    Control remote maintenance according to the system's asset classification. CC ID 01433 Operational management Technical Security
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Operational management Configuration
    Approve all remote maintenance sessions. CC ID 10615 Operational management Technical Security
    Log the performance of all remote maintenance. CC ID 13202 Operational management Log Management
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Operational management Technical Security
    Conduct offsite maintenance in authorized facilities. CC ID 16473 Operational management Maintenance
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Operational management Maintenance
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Operational management Maintenance
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Operational management Behavior
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Operational management Establish/Maintain Documentation
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Operational management Acquisition/Sale of Assets or Services
    Perform periodic maintenance according to organizational standards. CC ID 01435 Operational management Behavior
    Restart systems on a periodic basis. CC ID 16498 Operational management Maintenance
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Operational management Maintenance
    Employ dedicated systems during system maintenance. CC ID 12108 Operational management Technical Security
    Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 Operational management Technical Security
    Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 Operational management Human Resources Management
    Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 Operational management Physical and Environmental Protection
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Operational management Establish/Maintain Documentation
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Operational management Process or Activity
    Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 Operational management Business Processes
    Establish, implement, and maintain an end-of-life management process. CC ID 16540 Operational management Establish/Maintain Documentation
    Dispose of hardware and software at their life cycle end. CC ID 06278 Operational management Business Processes
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Operational management Business Processes
    Establish, implement, and maintain disposal contracts. CC ID 12199 Operational management Establish/Maintain Documentation
    Include disposal procedures in disposal contracts. CC ID 13905 Operational management Establish/Maintain Documentation
    Remove asset tags prior to disposal of an asset. CC ID 12198 Operational management Business Processes
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Operational management Establish/Maintain Documentation
    Review each system's operational readiness. CC ID 06275 Operational management Systems Design, Build, and Implementation
    Establish, implement, and maintain a data stewardship policy. CC ID 06657 Operational management Establish/Maintain Documentation
    Establish and maintain an unauthorized software list. CC ID 10601 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a customer service program. CC ID 00846 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Incident Management program. CC ID 00853 Operational management Business Processes
    Include detection procedures in the Incident Management program. CC ID 00588 Operational management Establish/Maintain Documentation
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Operational management Establish/Maintain Documentation
    Update the incident response procedures using the lessons learned. CC ID 01233
    [The governing body should oversee organizational performance by assessing and taking corrective action based on: the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. § 6.4.3.2 ¶ 1 j)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a performance management standard. CC ID 01615
    [The governing body should oversee the organization's performance to ensure that it meets the governing body's intentions for, and expectations of, the organization, its ethical behaviour and its compliance obligations. § 6.4.1 ¶ 1
    Ethical and effective leadership should be demonstrated in three areas: the performance of the organization as a whole; § 6.7.3.1 ¶ 4 b)
    The governing body should oversee the organization's performance to ensure that it meets the governing body's intentions for, and expectations of, the organization, its ethical behaviour and its compliance obligations. Table 1 Column 4 Row 5
    Effective performance — The organization: performs as required; § 5 ¶ 2 a) 2)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain future system performance forecasting methods. CC ID 11775 Operational management Business Processes
    Establish, implement, and maintain a remediation plan for deviations in the resource management process. CC ID 13679 Operational management Establish/Maintain Documentation
    Follow the maintenance schedule. CC ID 11791 Operational management Maintenance
    Establish, implement, and maintain rate limiting filters. CC ID 06883 Operational management Business Processes
    Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a cost management program. CC ID 13638 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a data profiling program. CC ID 13992
    [The governing body should oversee the organization's management of risk (see 6.4), ensuring that: effective data analytics are employed to correctly assess risk and risk interactions; § 6.9.3.4 ¶ 1 f)]
    Records management Data and Information Management
    Establish, implement, and maintain an information management program. CC ID 14315
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)]
    Records management Establish/Maintain Documentation
    Establish, implement, and maintain records management procedures. CC ID 11619 Records management Establish/Maintain Documentation
    Establish, implement, and maintain data completeness controls. CC ID 11649
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)]
    Records management Process or Activity
    Establish, implement, and maintain data processing integrity controls. CC ID 00923
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: ensure that assurance is provided over the integrity of the data and information received, and in particular its accuracy and completeness; § 6.8.3.2.1 ¶ 1 g)]
    Records management Establish Roles
    Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 Records management Data and Information Management
    Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 Records management Establish/Maintain Documentation
    Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 Records management Establish/Maintain Documentation
    Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 Records management Establish/Maintain Documentation
    Establish and maintain access controls for all records. CC ID 00371
    [Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: information structures, including access to information, monitoring and potential mitigation of incorrect decisions are sufficient to ensure compliance with organizational requirements. § 6.8.3.2.2 ¶ 1 c)]
    Records management Records Management
    Establish, implement, and maintain a consumer complaint management program. CC ID 04570
    [Assurance processes that inform the governing body independently and accurately include: whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). § 6.4.3.3 ¶ 2 Bullet 5]
    Acquisition or sale of facilities, technology, and services Business Processes
    Document consumer complaints. CC ID 13903 Acquisition or sale of facilities, technology, and services Business Processes
    Assess consumer complaints and litigation. CC ID 16521 Acquisition or sale of facilities, technology, and services Investigate
    Notify the complainant about their rights after receiving a complaint. CC ID 16794 Acquisition or sale of facilities, technology, and services Communicate
    Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Post contact information in an easily seen location at facilities. CC ID 13812 Acquisition or sale of facilities, technology, and services Communicate
    Provide users a list of the available dispute resolution bodies. CC ID 13814 Acquisition or sale of facilities, technology, and services Communicate
    Post the dispute resolution body's contact information on the organization's website. CC ID 13811 Acquisition or sale of facilities, technology, and services Communicate
    Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Disseminate and communicate the consumer complaint management program to interested personnel and affected parties. CC ID 16795 Acquisition or sale of facilities, technology, and services Communicate
    Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 Acquisition or sale of facilities, technology, and services Actionable Reports or Measurements
    Establish, implement, and maintain notice and take-down procedures. CC ID 09963 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Check communications for take-down requests. CC ID 09964 Acquisition or sale of facilities, technology, and services Monitor and Evaluate Occurrences
    Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970 Acquisition or sale of facilities, technology, and services Business Processes
    Notify the complainant regarding any missing information in the take-down request. CC ID 09973 Acquisition or sale of facilities, technology, and services Behavior
    Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977 Acquisition or sale of facilities, technology, and services Establish/Maintain Documentation
    Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978 Acquisition or sale of facilities, technology, and services Business Processes
    Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979 Acquisition or sale of facilities, technology, and services Business Processes
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data access procedures. CC ID 00414
    [The governing body should: ensure that all relevant stakeholders are able to access the reports and disclosures, as far as is reasonable, and are therefore suitably equipped with the information necessary to make informed assessments of the organization's past performance, current performance and performance over time. § 6.5.3.2 ¶ 2 Bullet 3]
    Privacy protection for information and data Establish/Maintain Documentation
    Allow data subjects to submit data requests. CC ID 16545 Privacy protection for information and data Process or Activity
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Data and Information Management
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Privacy protection for information and data Data and Information Management
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Data and Information Management
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Data and Information Management
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Privacy protection for information and data Data and Information Management
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Establish/Maintain Documentation
    Define what is to be included in a data access request. CC ID 08699 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Business Processes
    Respond to data access requests in a timely manner. CC ID 00421 Privacy protection for information and data Behavior
    Delay responding to data access requests, as necessary. CC ID 15504 Privacy protection for information and data Data and Information Management
    Expedite the processing of data access requests, as necessary. CC ID 15496 Privacy protection for information and data Data and Information Management
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Privacy protection for information and data Business Processes
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Privacy protection for information and data Process or Activity
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Establish/Maintain Documentation
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Privacy protection for information and data Data and Information Management
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Establish/Maintain Documentation
    Submit personal data removal requests in writing. CC ID 11973 Privacy protection for information and data Records Management
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Establish/Maintain Documentation
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Establish/Maintain Documentation
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Privacy protection for information and data Process or Activity
    Establish, implement, and maintain a personal data collection program. CC ID 06487
    [The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; § 6.8.3.2.1 ¶ 1 f)]
    Privacy protection for information and data Establish/Maintain Documentation
    Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 Privacy protection for information and data Data and Information Management
    Refrain from collecting personal data, as necessary. CC ID 15269 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Privacy protection for information and data Establish/Maintain Documentation
    Use personal data for specified purposes. CC ID 11831 Privacy protection for information and data Data and Information Management
    Post the collection purpose. CC ID 00101 Privacy protection for information and data Establish/Maintain Documentation
    Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 Privacy protection for information and data Data and Information Management
    Document each individual's personal data collection consent preferences. CC ID 06945 Privacy protection for information and data Establish/Maintain Documentation
    Provide explicit consent that is clear and unambiguous. CC ID 00181 Privacy protection for information and data Data and Information Management
    Allow individuals to change their personal data collection consent preferences. CC ID 06946 Privacy protection for information and data Data and Information Management
    Adhere to each individual's personal data collection consent preferences. CC ID 06947 Privacy protection for information and data Data and Information Management
    Notify the data subject of the source of collected personal data. CC ID 00083 Privacy protection for information and data Behavior
    Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 Privacy protection for information and data Data and Information Management
    Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 Privacy protection for information and data Data and Information Management
    Establish and maintain a personal data definition. CC ID 00028 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's name in the personal data definition. CC ID 04710 Privacy protection for information and data Data and Information Management
    Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 Privacy protection for information and data Data and Information Management
    Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 Privacy protection for information and data Data and Information Management
    Include an individual's signature in the personal data definition. CC ID 04711 Privacy protection for information and data Data and Information Management
    Include an individual's date of birth in the personal data definition. CC ID 04770 Privacy protection for information and data Data and Information Management
    Include the number of children in the personal data definition. CC ID 13759 Privacy protection for information and data Establish/Maintain Documentation
    Include the individual's religion in the personal data definition. CC ID 13765 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 Privacy protection for information and data Data and Information Management
    Include an individual's biometric data in the personal data definition. CC ID 04698 Privacy protection for information and data Data and Information Management
    Include an individual's photographic image in the personal data definition. CC ID 04779 Privacy protection for information and data Data and Information Management
    Include an individual's fingerprints in the personal data definition. CC ID 04689 Privacy protection for information and data Data and Information Management
    Include an individual's address in the personal data definition. CC ID 04687 Privacy protection for information and data Data and Information Management
    Include an individual's telephone number in the personal data definition. CC ID 04688 Privacy protection for information and data Data and Information Management
    Include an individual's fax number in the personal data definition. CC ID 07120 Privacy protection for information and data Data and Information Management
    Include an individual's political party affiliation in the personal data definition. CC ID 13764 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's license plate number in the personal data definition. CC ID 13763 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's financial account number in the personal data definition. CC ID 04692 Privacy protection for information and data Data and Information Management
    Include an individual's account balances in the personal data definition. CC ID 13770 Privacy protection for information and data Establish/Maintain Documentation
    Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 Privacy protection for information and data Data and Information Management
    Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 Privacy protection for information and data Data and Information Management
    Include an individual's logon credentials in the personal data definition. CC ID 13771 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 Privacy protection for information and data Data and Information Management
    Include an individual's passport number in the personal data definition. CC ID 04713 Privacy protection for information and data Data and Information Management
    Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 Privacy protection for information and data Data and Information Management
    Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 Privacy protection for information and data Data and Information Management
    Include an individual's military identification number in the personal data definition. CC ID 13083 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's e-mail address in the personal data definition. CC ID 04696 Privacy protection for information and data Data and Information Management
    Include electronic signatures in the personal data definition. CC ID 04697 Privacy protection for information and data Data and Information Management
    Include an individual's payment card information in the personal data definition. CC ID 04751 Privacy protection for information and data Data and Information Management
    Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 Privacy protection for information and data Data and Information Management
    Include an individual's payment card service code in the personal data definition. CC ID 04753 Privacy protection for information and data Data and Information Management
    Include an individual's payment card expiration date in the personal data definition. CC ID 04755 Privacy protection for information and data Data and Information Management
    Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 Privacy protection for information and data Data and Information Management
    Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 Privacy protection for information and data Data and Information Management
    Include an individual's medical history in the personal data definition. CC ID 04701 Privacy protection for information and data Data and Information Management
    Include an individual's medical treatment in the personal data definition. CC ID 04702 Privacy protection for information and data Data and Information Management
    Include an individual's medical diagnosis in the personal data definition. CC ID 04703 Privacy protection for information and data Data and Information Management
    Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 Privacy protection for information and data Data and Information Management
    Include an individual's medical record numbers in the personal data definition. CC ID 07121 Privacy protection for information and data Data and Information Management
    Include an individual's health insurance information in the personal data definition. CC ID 04705 Privacy protection for information and data Data and Information Management
    Include an individual's health insurance policy number in the personal data definition. CC ID 04706 Privacy protection for information and data Data and Information Management
    Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 Privacy protection for information and data Data and Information Management
    Include an individual's education information in the personal data definition. CC ID 04714 Privacy protection for information and data Data and Information Management
    Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 Privacy protection for information and data Data and Information Management
    Include an individual's employment information in the personal data definition. CC ID 04715 Privacy protection for information and data Data and Information Management
    Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 Privacy protection for information and data Data and Information Management
    Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 Privacy protection for information and data Data and Information Management
    Include an individual's employment history in the personal data definition. CC ID 04716 Privacy protection for information and data Data and Information Management
    Include an individual's place of employment in the personal data definition. CC ID 04765 Privacy protection for information and data Data and Information Management
    Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 Privacy protection for information and data Data and Information Management
    Include an individual's property information in the personal data definition. CC ID 04780 Privacy protection for information and data Data and Information Management
    Include an individual's property title in the personal data definition. CC ID 04781 Privacy protection for information and data Data and Information Management
    Include an individual's vehicle registration in the personal data definition. CC ID 04782 Privacy protection for information and data Data and Information Management
    Include hardware asset identification information in the personal data definition. CC ID 07123 Privacy protection for information and data Data and Information Management
    Include MAC addresses in the personal data definition. CC ID 04778 Privacy protection for information and data Data and Information Management
    Include Internet Protocol addresses in the personal data definition. CC ID 04777 Privacy protection for information and data Data and Information Management
    Include asset serial numbers in the personal data definition. CC ID 07124 Privacy protection for information and data Data and Information Management
    Include Uniform Resource Locators in the personal data definition. CC ID 07125 Privacy protection for information and data Data and Information Management
    Refrain from including publicly available information in the personal data definition. CC ID 13084 Privacy protection for information and data Establish/Maintain Documentation
    Define specially restricted data. CC ID 00037 Privacy protection for information and data Data and Information Management
    Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 Privacy protection for information and data Data and Information Management
    Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 Privacy protection for information and data Data and Information Management
    Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 Privacy protection for information and data Data and Information Management
    Implement a nondiscrimination principle. CC ID 00081 Privacy protection for information and data Data and Information Management
    Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 Privacy protection for information and data Data and Information Management
    Preserve each individual's right to human dignity. CC ID 00082 Privacy protection for information and data Data and Information Management
    Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 Privacy protection for information and data Data and Information Management
    Employ a random number generator to create authenticators. CC ID 13782 Privacy protection for information and data Technical Security
    Collect Personal Identification Numbers with the individual's consent. CC ID 00059 Privacy protection for information and data Data and Information Management
    Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 Privacy protection for information and data Data and Information Management
    Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 Privacy protection for information and data Data and Information Management
    Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 Privacy protection for information and data Data and Information Management
    Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 Privacy protection for information and data Behavior
    Manage health data collection. CC ID 00050 Privacy protection for information and data Data and Information Management
    Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 Privacy protection for information and data Data and Information Management
    Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 Privacy protection for information and data Data and Information Management
    Collect Individually Identifiable Health Information for research. CC ID 00054 Privacy protection for information and data Data and Information Management
    Remove personal data before disclosing health data. CC ID 00055 Privacy protection for information and data Data and Information Management
    Give special attention to collecting children's data. CC ID 00038 Privacy protection for information and data Data and Information Management
    Use simple understandable language to collect information from children. CC ID 00039 Privacy protection for information and data Behavior
    Notify parents or legal representatives of what information is collected from children. CC ID 00040 Privacy protection for information and data Establish/Maintain Documentation
    Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Privacy protection for information and data Establish/Maintain Documentation
    Collect personal data directly from the data subject. CC ID 00011 Privacy protection for information and data Data and Information Management
    Create and manage user account aliases to maintain pseudonymity. CC ID 04549 Privacy protection for information and data Data and Information Management
    Provide unlinkability for users and resources. CC ID 04550 Privacy protection for information and data Data and Information Management
    Provide unobservability of users and resources. CC ID 04551 Privacy protection for information and data Technical Security
    Collect restricted data in a fair and lawful manner. CC ID 00010 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent in order to make a disclosure. CC ID 13550 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent for handling insurance claims. CC ID 13543 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 Privacy protection for information and data Data and Information Management
    Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent from publicly available information. CC ID 00019 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent when needed by law. CC ID 00020 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent to create a credit report. CC ID 15287 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 Privacy protection for information and data Data and Information Management
    Collect the minimum amount of restricted data necessary. CC ID 00078 Privacy protection for information and data Data and Information Management
    Collect restricted data in a proper information framework. CC ID 00009 Privacy protection for information and data Data and Information Management
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 Privacy protection for information and data Data and Information Management
    Collect restricted data when required by law. CC ID 00031 Privacy protection for information and data Data and Information Management
    Collect restricted data to prevent life-threatening emergencies. CC ID 00032 Privacy protection for information and data Data and Information Management
    Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 Privacy protection for information and data Data and Information Management
    Collect restricted data for legal purposes. CC ID 00036 Privacy protection for information and data Data and Information Management
    Provide the data subject with information about the data controller during the collection process. CC ID 00023 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 Privacy protection for information and data Communicate
    Provide the data subject with the data collector's name and contact information. CC ID 00024 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361
    [{be within}To demonstrate accountability, the governing body should ensure that the organization's reports and disclosures: are transparent but also within the limits of confidentiality; § 6.5.3.2 ¶ 1 f)]
    Privacy protection for information and data Establish/Maintain Documentation
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Privacy protection for information and data Data and Information Management
    Protect electronic messaging information. CC ID 12022 Privacy protection for information and data Technical Security
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Privacy protection for information and data Data and Information Management
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Configuration
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Configuration
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Configuration
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Privacy protection for information and data Technical Security
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Data and Information Management
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Log Management
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Log Management
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Privacy protection for information and data Technical Security
    Implement security measures to protect personal data. CC ID 13606 Privacy protection for information and data Technical Security
    Implement physical controls to protect personal data. CC ID 00355 Privacy protection for information and data Testing
    Limit data leakage. CC ID 00356 Privacy protection for information and data Data and Information Management
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Privacy protection for information and data Monitor and Evaluate Occurrences
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Privacy protection for information and data Business Processes
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Privacy protection for information and data Acquisition/Sale of Assets or Services
    Alert appropriate personnel when data leakage is detected. CC ID 14715 Privacy protection for information and data Process or Activity
    Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465
    [The recognition that data can be a strategic asset (or liability) means that the governing body should: communicate the nature and extent of the organization's use of data as a demonstration of accountability for this resource. § 6.8.3.3 ¶ 1 e)]
    Privacy protection for information and data Communicate
    Establish, implement, and maintain data handling procedures. CC ID 11756 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466
    [The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). § 6.8.3.1 ¶ 1]
    Privacy protection for information and data Communicate
    Establish, implement, and maintain a supply chain management program. CC ID 11742 Third Party and supply chain oversight Establish/Maintain Documentation
    Document the organization's supply chain in the supply chain management program. CC ID 09958 Third Party and supply chain oversight Establish/Maintain Documentation