Authority Document - Unified Compliance

International > International Organization for Standardization

ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013

AD ID

0001367

AD STATUS

ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

For Purchase

SYNONYMS

ISO 27001-2013

ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements

EFFECTIVE

2013-10-01

ADDED

The document as a whole was last reviewed and released on 2021-11-30T00:00:00-0800.

URL

Click here

AD ID

0001367

AD STATUS

For Purchase

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO 27001-2013

ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements

EFFECTIVE

2013-10-01

ADDED

The document as a whole was last reviewed and released on 2021-11-30T00:00:00-0800.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2023 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 259 Mandated Controls - bold
140 Implied Controls - italic 3578 Implementation

Number of Controls

3977 Total

Acquisition or sale of facilities, technology, and services

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Acquisition or sale of facilities, technology, and services CC ID 01123	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538	Business Processes	Preventive
Establish, implement, and maintain an electronic commerce program. CC ID 08617	Business Processes	Preventive
Establish, implement, and maintain payment transaction security measures. CC ID 13088	Technical Security	Preventive
Protect the integrity of application service transactions. CC ID 12017 [Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. A.14.1.3 Control]	Business Processes	Preventive
Acquire products or services. CC ID 11450	Acquisition/Sale of Assets or Services	Preventive
Discourage the modification of vendor-supplied software. CC ID 12016 [Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. A.14.2.4 Control]	Process or Activity	Preventive

Audits and risk management

488

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)]	Establish Roles	Preventive
Manage supply chain audits. CC ID 01203	Audits and Risk Management	Preventive
Review the external auditors involvement in assessing Information Technology controls. CC ID 01204	Audits and Risk Management	Preventive
Rotate auditors, as necessary. CC ID 15589	Audits and Risk Management	Preventive
Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679	Establish Roles	Preventive
Assign the Board of Directors to address audit findings. CC ID 12396	Human Resources Management	Corrective
Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184	Establish Roles	Preventive
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680	Establish Roles	Preventive
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [The organization shall: ensure that the results of the audits are reported to relevant management; and § 9.2 ¶ 2 f)]	Testing	Detective
Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186	Establish Roles	Preventive
Define and assign the internal audit staff's roles and responsibilities. CC ID 00681	Establish Roles	Preventive
Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187	Establish Roles	Preventive
Define and assign the external auditor's roles and responsibilities. CC ID 00683	Establish Roles	Preventive
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102	Audits and Risk Management	Preventive
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188	Establish/Maintain Documentation	Preventive
Review external auditor outsourcing contracts and engagement letters. CC ID 01189	Establish/Maintain Documentation	Preventive
Include a change control clause in external auditor outsourcing contracts. CC ID 01192	Establish/Maintain Documentation	Preventive
Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196	Establish/Maintain Documentation	Preventive
Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194	Establish/Maintain Documentation	Preventive
Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195	Establish/Maintain Documentation	Preventive
Include communication protocols in external auditor outsourcing contracts. CC ID 01201	Establish/Maintain Documentation	Preventive
Review the external audit scope, as necessary. CC ID 01202	Audits and Risk Management	Preventive
Review the external audit assertion for accuracy. CC ID 06977	Testing	Detective
Review the risk assessments as compared to the in scope controls. CC ID 06978 [The organization shall define and apply an information security risk assessment process that: evaluates the information security risks: compare the results of risk analysis with the risk criteria established in 6.1.2 a); and § 6.1.2 ¶ 1 e) 1) The organization shall define and apply an information security risk assessment process that: ensures that repeated information security risk assessments produce consistent, valid and comparable results; § 6.1.2 ¶ 1 b)]	Testing	Detective
Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014	Audits and Risk Management	Detective
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190	Establish/Maintain Documentation	Preventive
Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191	Establish/Maintain Documentation	Preventive
Include access to work papers in external auditor outsourcing contracts. CC ID 01193	Establish/Maintain Documentation	Preventive
Review the external auditor's qualifications. CC ID 01197	Audits and Risk Management	Preventive
Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198	Audits and Risk Management	Preventive
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 [The management review shall include consideration of: changes in external and internal issues that are relevant to the information security management system; § 9.3 ¶ 2 b)]	Establish/Maintain Documentation	Preventive
Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200	Establish/Maintain Documentation	Preventive
Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587	Behavior	Preventive
Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992	Behavior	Preventive
Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993	Establish/Maintain Documentation	Preventive
Take appropriate action if missing audit documentation compromises the audit. CC ID 06994	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an audit program. CC ID 00684 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain audit policies. CC ID 13166	Establish/Maintain Documentation	Preventive
Assign the audit to impartial auditors. CC ID 07118 [The organization shall: select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; § 9.2 ¶ 2 e)]	Establish Roles	Preventive
Exercise due professional care during the planning and performance of the audit. CC ID 07119 [{audit activities} Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes. A.12.7.1 Control]	Behavior	Preventive
Include resource requirements in the audit program. CC ID 15237	Establish/Maintain Documentation	Preventive
Include risks and opportunities in the audit program. CC ID 15236	Establish/Maintain Documentation	Preventive
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959	Audits and Risk Management	Preventive
Establish and maintain audit terms. CC ID 13880	Establish/Maintain Documentation	Preventive
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973	Process or Activity	Preventive
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883	Establish/Maintain Documentation	Preventive
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an in scope system description. CC ID 14873	Establish/Maintain Documentation	Preventive
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506	Audits and Risk Management	Preventive
Include third party services in the audit assertion's in scope system description. CC ID 16503	Establish/Maintain Documentation	Preventive
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501	Establish/Maintain Documentation	Preventive
Include availability commitments in the audit assertion's in scope system description. CC ID 14914	Establish/Maintain Documentation	Preventive
Include changes in the audit assertion's in scope system description. CC ID 14894	Establish/Maintain Documentation	Preventive
Include external communications in the audit assertion's in scope system description. CC ID 14913	Establish/Maintain Documentation	Preventive
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878	Establish/Maintain Documentation	Preventive
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911	Establish/Maintain Documentation	Preventive
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896	Establish/Maintain Documentation	Preventive
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895	Establish/Maintain Documentation	Preventive
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891	Establish/Maintain Documentation	Preventive
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889	Establish/Maintain Documentation	Preventive
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897	Establish/Maintain Documentation	Preventive
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502	Establish/Maintain Documentation	Preventive
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916	Establish/Maintain Documentation	Preventive
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910	Establish/Maintain Documentation	Preventive
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909	Establish/Maintain Documentation	Preventive
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907	Establish/Maintain Documentation	Preventive
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904	Establish/Maintain Documentation	Preventive
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893	Establish/Maintain Documentation	Preventive
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892	Establish/Maintain Documentation	Preventive
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887	Establish/Maintain Documentation	Preventive
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885	Establish/Maintain Documentation	Detective
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884	Establish/Maintain Documentation	Preventive
Include commitments to third parties in the audit assertion. CC ID 14899	Establish/Maintain Documentation	Preventive
Determine the completeness of the audit assertion's in scope system description. CC ID 14883	Establish/Maintain Documentation	Preventive
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449	Audits and Risk Management	Detective
Include system requirements in the audit assertion's in scope system description. CC ID 14881	Establish/Maintain Documentation	Preventive
Include third party controls in the audit assertion's in scope system description. CC ID 14880	Establish/Maintain Documentation	Preventive
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256	Audits and Risk Management	Preventive
Identify personnel who should attend the closing meeting. CC ID 15261	Business Processes	Preventive
Confirm audit requirements during the opening meeting. CC ID 15255	Audits and Risk Management	Detective
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254	Audits and Risk Management	Preventive
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [{audit activities} Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes. A.12.7.1 Control]	Establish/Maintain Documentation	Preventive
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)]	Establish/Maintain Documentation	Preventive
Include third party assets in the audit scope. CC ID 16504	Audits and Risk Management	Preventive
Include audit subject matter in the audit program. CC ID 07103	Establish/Maintain Documentation	Preventive
Examine the objectivity of the audit criteria in the audit program. CC ID 07104	Establish/Maintain Documentation	Preventive
Examine the measurability of the audit criteria in the audit program. CC ID 07105	Establish/Maintain Documentation	Preventive
Examine the completeness of the audit criteria in the audit program. CC ID 07106	Establish/Maintain Documentation	Preventive
Examine the relevance of the audit criteria in the audit program. CC ID 07107	Establish/Maintain Documentation	Preventive
Determine the appropriateness of the audit subject matter. CC ID 16505	Audits and Risk Management	Preventive
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116	Establish/Maintain Documentation	Preventive
Include the in scope material or in scope products in the audit program. CC ID 08961	Audits and Risk Management	Preventive
Include in scope information in the audit program. CC ID 16198	Establish/Maintain Documentation	Preventive
Include the out of scope material or out of scope products in the audit program. CC ID 08962	Establish/Maintain Documentation	Preventive
Provide a representation letter in support of the audit assertion. CC ID 07158	Establish/Maintain Documentation	Preventive
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942	Establish/Maintain Documentation	Preventive
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934	Establish/Maintain Documentation	Preventive
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884	Establish/Maintain Documentation	Preventive
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159	Establish/Maintain Documentation	Preventive
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160	Establish/Maintain Documentation	Preventive
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161	Establish/Maintain Documentation	Preventive
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162	Establish/Maintain Documentation	Preventive
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163	Establish/Maintain Documentation	Preventive
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164	Establish/Maintain Documentation	Preventive
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165	Establish/Maintain Documentation	Preventive
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899	Establish/Maintain Documentation	Preventive
Establish and maintain audit assertions, as necessary. CC ID 14871	Establish/Maintain Documentation	Detective
Include an in scope system description in the audit assertion. CC ID 14872	Establish/Maintain Documentation	Preventive
Include any assumptions that are improbable in the audit assertion. CC ID 13950	Establish/Maintain Documentation	Preventive
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969	Establish/Maintain Documentation	Preventive
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027	Establish/Maintain Documentation	Preventive
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970	Establish/Maintain Documentation	Preventive
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949	Establish/Maintain Documentation	Preventive
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028	Establish/Maintain Documentation	Preventive
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971	Establish/Maintain Documentation	Preventive
Include the in scope procedures in the audit assertion. CC ID 06972	Establish/Maintain Documentation	Preventive
Include the in scope records produced in the audit assertion. CC ID 06968	Establish/Maintain Documentation	Preventive
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973	Establish/Maintain Documentation	Preventive
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991	Establish/Maintain Documentation	Preventive
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974	Establish/Maintain Documentation	Preventive
Include the in scope risk assessment processes in the audit assertion. CC ID 06975	Establish/Maintain Documentation	Preventive
Include in scope change controls in the audit assertion. CC ID 06976	Establish/Maintain Documentation	Preventive
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989	Establish/Maintain Documentation	Preventive
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967	Establish/Maintain Documentation	Preventive
Include the scope for the desired level of assurance in the audit program. CC ID 12793 [The organization shall: define the audit criteria and scope for each audit; § 9.2 ¶ 2 d)]	Communicate	Preventive
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149	Establish/Maintain Documentation	Preventive
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988	Establish/Maintain Documentation	Preventive
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [The organization shall: define the audit criteria and scope for each audit; § 9.2 ¶ 2 d)]	Audits and Risk Management	Preventive
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)]	Establish/Maintain Documentation	Preventive
Include the expectations for the audit report in the audit terms. CC ID 07148	Establish/Maintain Documentation	Preventive
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888	Establish/Maintain Documentation	Preventive
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896	Establish/Maintain Documentation	Corrective
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248	Communicate	Preventive
Include materiality levels in the audit terms. CC ID 01238	Establish/Maintain Documentation	Preventive
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239	Establish/Maintain Documentation	Preventive
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240	Establish/Maintain Documentation	Preventive
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263	Business Processes	Preventive
Refrain from performing an attestation engagement under defined conditions. CC ID 13952	Audits and Risk Management	Detective
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912	Business Processes	Preventive
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954	Behavior	Preventive
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951	Audits and Risk Management	Preventive
Accept the attestation engagement when all preconditions are met. CC ID 13933	Business Processes	Preventive
Audit in scope audit items and compliance documents. CC ID 06730 [The organization shall: select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; § 9.2 ¶ 2 e)]	Audits and Risk Management	Preventive
Conduct onsite inspections, as necessary. CC ID 16199	Testing	Preventive
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946	Audits and Risk Management	Detective
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932	Audits and Risk Management	Detective
Audit policies, standards, and procedures. CC ID 12927 [The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: is effectively implemented and maintained. § 9.2 ¶ 1 b)]	Audits and Risk Management	Preventive
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Investigate	Detective
Audit information systems, as necessary. CC ID 13010	Investigate	Detective
Audit the potential costs of compromise to information systems. CC ID 13012	Investigate	Detective
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979	Testing	Detective
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983	Testing	Detective
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977	Process or Activity	Detective
Edit the audit assertion for accuracy. CC ID 07030	Establish/Maintain Documentation	Preventive
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982	Establish/Maintain Documentation	Preventive
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Testing	Detective
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978	Process or Activity	Detective
Document test plans for auditing in scope controls. CC ID 06985	Testing	Detective
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981	Testing	Detective
Determine the effectiveness of in scope controls. CC ID 06984	Testing	Detective
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157	Audits and Risk Management	Detective
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and Risk Management	Detective
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 [{actions to address risks and opportunities} When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: how to evaluate the effectiveness of these actions. § 6.1.1 ¶ 2 e) 2)]	Audits and Risk Management	Detective
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and Risk Management	Detective
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144	Audits and Risk Management	Detective
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990	Testing	Detective
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996	Establish/Maintain Documentation	Preventive
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: § 9.2 ¶ 1]	Testing	Preventive
Implement procedures that collect sufficient audit evidence. CC ID 07153	Audits and Risk Management	Preventive
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154	Audits and Risk Management	Preventive
Collect audit evidence sufficient to avoid misstatements. CC ID 07155	Audits and Risk Management	Preventive
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156	Audits and Risk Management	Preventive
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157	Audits and Risk Management	Preventive
Provide transactional walkthrough procedures for external auditors. CC ID 00672	Testing	Preventive
Establish, implement, and maintain interview procedures. CC ID 16282	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the interview procedures. CC ID 16297	Human Resources Management	Preventive
Coordinate the scheduling of interviews. CC ID 16293	Process or Activity	Preventive
Create a schedule for the interviews. CC ID 16292	Process or Activity	Preventive
Identify interviewees. CC ID 16290	Process or Activity	Preventive
Conduct interviews, as necessary. CC ID 07188	Testing	Detective
Verify statements made by interviewees are correct. CC ID 16299	Behavior	Detective
Discuss unsolved questions with the interviewee. CC ID 16298	Process or Activity	Detective
Allow interviewee to respond to explanations. CC ID 16296	Process or Activity	Detective
Explain the requirements being discussed to the interviewee. CC ID 16294	Process or Activity	Detective
Explain the goals of the interview to the interviewee. CC ID 07189	Behavior	Detective
Explain the testing results to the interviewee. CC ID 16291	Process or Activity	Preventive
Withdraw from the audit, when defined conditions exist. CC ID 13885	Process or Activity	Corrective
Establish and maintain work papers, as necessary. CC ID 13891	Establish/Maintain Documentation	Preventive
Include justification for departing from mandatory requirements in the work papers. CC ID 13935	Establish/Maintain Documentation	Preventive
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998	Establish/Maintain Documentation	Preventive
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190	Establish/Maintain Documentation	Preventive
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026	Establish/Maintain Documentation	Preventive
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997	Establish/Maintain Documentation	Preventive
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152	Audits and Risk Management	Detective
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000	Establish/Maintain Documentation	Preventive
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999	Establish/Maintain Documentation	Preventive
Investigate the nature and causes of identified in scope control deviations. CC ID 06986	Testing	Detective
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987	Testing	Detective
Supervise interested personnel and affected parties participating in the audit. CC ID 07150	Monitor and Evaluate Occurrences	Preventive
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151	Establish Roles	Preventive
Respond to questions or clarification requests regarding the audit. CC ID 08902 [The management review shall include consideration of: feedback from interested parties; § 9.3 ¶ 2 d)]	Business Processes	Preventive
Track and measure the implementation of the organizational compliance framework. CC ID 06445	Monitor and Evaluate Occurrences	Preventive
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111	Business Processes	Preventive
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971	Process or Activity	Preventive
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894	Establish/Maintain Documentation	Preventive
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966	Audits and Risk Management	Preventive
Permit assessment teams to conduct audits, as necessary. CC ID 16430	Investigate	Detective
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187	Business Processes	Preventive
Solve any access problems auditors encounter during the audit. CC ID 08959	Audits and Risk Management	Corrective
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960	Audits and Risk Management	Preventive
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968	Establish/Maintain Documentation	Preventive
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982	Establish/Maintain Documentation	Preventive
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981	Establish/Maintain Documentation	Preventive
Establish and maintain organizational audit reports. CC ID 06731 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c) The organization shall: retain documented information as evidence of the audit programme(s) and the audit results. § 9.2 ¶ 2 g)]	Establish/Maintain Documentation	Preventive
Determine what disclosures are required in the audit report. CC ID 14888	Establish/Maintain Documentation	Detective
Include audit subject matter in the audit report. CC ID 14882	Establish/Maintain Documentation	Preventive
Include an other-matter paragraph in the audit report. CC ID 14901	Establish/Maintain Documentation	Preventive
Identify the audit team members in the audit report. CC ID 15259	Human Resources Management	Detective
Write the audit report using clear and conspicuous language. CC ID 13948	Establish/Maintain Documentation	Preventive
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936	Establish/Maintain Documentation	Preventive
Include a statement that the financial statements were audited in the audit report. CC ID 13963	Establish/Maintain Documentation	Preventive
Include the criteria that financial information was measured against in the audit report. CC ID 13966	Establish/Maintain Documentation	Preventive
Include a description of the financial information being reported on in the audit report. CC ID 13965	Establish/Maintain Documentation	Preventive
Include references to any adjustments of financial information in the audit report. CC ID 13964	Establish/Maintain Documentation	Preventive
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953	Establish/Maintain Documentation	Preventive
Include references to historical financial information used in the audit report. CC ID 13961	Establish/Maintain Documentation	Preventive
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900	Establish/Maintain Documentation	Preventive
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958	Establish/Maintain Documentation	Preventive
Include the word independent in the title of audit reports. CC ID 07003	Actionable Reports or Measurements	Preventive
Include the date of the audit in the audit report. CC ID 07024	Actionable Reports or Measurements	Preventive
Structure the audit report to be in the form of procedures and findings. CC ID 13940	Establish/Maintain Documentation	Preventive
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004	Actionable Reports or Measurements	Preventive
Include any discussions of significant findings in the audit report. CC ID 13955	Establish/Maintain Documentation	Preventive
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962	Establish/Maintain Documentation	Preventive
Include the audit criteria in the audit report. CC ID 13945	Establish/Maintain Documentation	Preventive
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957	Establish/Maintain Documentation	Preventive
Include all hypothetical assumptions in the audit report. CC ID 13947	Establish/Maintain Documentation	Preventive
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023	Actionable Reports or Measurements	Preventive
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172	Establish/Maintain Documentation	Preventive
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173	Establish/Maintain Documentation	Preventive
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956	Establish/Maintain Documentation	Preventive
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929	Establish/Maintain Documentation	Preventive
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931	Establish/Maintain Documentation	Preventive
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929	Establish/Maintain Documentation	Preventive
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939	Establish/Maintain Documentation	Preventive
Include a review of the subject matter expert's findings in the audit report. CC ID 13972	Establish/Maintain Documentation	Preventive
Include a statement of the character of the engagement in the audit report. CC ID 07166	Establish/Maintain Documentation	Preventive
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167	Establish/Maintain Documentation	Preventive
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168	Establish/Maintain Documentation	Preventive
Include all restrictions on the audit in the audit report. CC ID 13930	Establish/Maintain Documentation	Preventive
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943	Establish/Maintain Documentation	Preventive
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887	Establish/Maintain Documentation	Preventive
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941	Establish/Maintain Documentation	Preventive
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944	Establish/Maintain Documentation	Preventive
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938	Establish/Maintain Documentation	Preventive
Refrain from referencing other auditor's work in the audit report. CC ID 13881	Establish/Maintain Documentation	Preventive
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018	Establish/Maintain Documentation	Preventive
Identify the participants from the organization being audited in the audit report. CC ID 15258	Audits and Risk Management	Detective
Include how in scope controls meet external requirements in the audit report. CC ID 16450	Establish/Maintain Documentation	Preventive
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915	Establish/Maintain Documentation	Preventive
Include recommended corrective actions in the audit report. CC ID 16197	Establish/Maintain Documentation	Preventive
Include risks and opportunities in the audit report. CC ID 16196	Establish/Maintain Documentation	Preventive
Include the description of tests of controls and results in the audit report. CC ID 14898	Establish/Maintain Documentation	Preventive
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908	Establish/Maintain Documentation	Preventive
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906	Establish/Maintain Documentation	Preventive
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905	Establish/Maintain Documentation	Preventive
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902	Establish/Maintain Documentation	Preventive
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005	Actionable Reports or Measurements	Preventive
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014	Establish/Maintain Documentation	Preventive
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019	Establish/Maintain Documentation	Preventive
Include the attestation standards the auditor follows in the audit report. CC ID 07015	Establish/Maintain Documentation	Preventive
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169	Establish/Maintain Documentation	Preventive
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170	Establish/Maintain Documentation	Preventive
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890	Establish/Maintain Documentation	Preventive
Include the organization's in scope system description in the audit report. CC ID 11626	Audits and Risk Management	Preventive
Include any out of scope components of in scope systems in the audit report. CC ID 07006	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013	Establish/Maintain Documentation	Preventive
Include the scope and work performed in the audit report. CC ID 11621	Audits and Risk Management	Preventive
Review the adequacy of the internal auditor's work papers. CC ID 01146	Audits and Risk Management	Detective
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158	Establish/Maintain Documentation	Detective
Review the adequacy of the internal auditor's audit reports. CC ID 11620	Audits and Risk Management	Detective
Review past audit reports. CC ID 01155 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)]	Establish/Maintain Documentation	Detective
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160	Establish/Maintain Documentation	Detective
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161	Establish/Maintain Documentation	Detective
Resolve disputes before creating the audit summary. CC ID 08964	Behavior	Preventive
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975	Establish/Maintain Documentation	Preventive
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983	Establish/Maintain Documentation	Preventive
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974	Establish/Maintain Documentation	Preventive
Include deficiencies and non-compliance in the audit report. CC ID 14879	Establish/Maintain Documentation	Corrective
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886	Investigate	Detective
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979	Process or Activity	Detective
Include an audit opinion in the audit report. CC ID 07017	Establish/Maintain Documentation	Preventive
Include qualified opinions in the audit report. CC ID 13928	Establish/Maintain Documentation	Preventive
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174	Establish/Maintain Documentation	Preventive
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898	Establish/Maintain Documentation	Corrective
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886	Establish/Maintain Documentation	Preventive
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901	Business Processes	Corrective
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [The organization shall: retain documented information as evidence of the audit programme(s) and the audit results. § 9.2 ¶ 2 g)]	Actionable Reports or Measurements	Preventive
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177	Audits and Risk Management	Preventive
Document any after the fact changes to the engagement file. CC ID 07002	Establish/Maintain Documentation	Preventive
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179	Establish/Maintain Documentation	Preventive
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180	Establish/Maintain Documentation	Preventive
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038	Records Management	Preventive
Include items that were excluded from the audit report in the audit report. CC ID 07007	Establish/Maintain Documentation	Preventive
Include the organization's privacy practices in the audit report. CC ID 07029	Establish/Maintain Documentation	Preventive
Include items that pertain to third parties in the audit report. CC ID 07008	Establish/Maintain Documentation	Preventive
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970	Establish/Maintain Documentation	Preventive
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969	Establish/Maintain Documentation	Preventive
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009	Establish/Maintain Documentation	Preventive
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020	Establish/Maintain Documentation	Preventive
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016	Establish/Maintain Documentation	Preventive
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021	Establish/Maintain Documentation	Preventive
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022	Establish/Maintain Documentation	Preventive
Modify the audit opinion in the audit report under defined conditions. CC ID 13937	Establish/Maintain Documentation	Corrective
Disclose any audit irregularities in the audit report. CC ID 06995	Actionable Reports or Measurements	Preventive
Include the written signature of the auditor's organization in the audit report. CC ID 13897	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117	Establish/Maintain Documentation	Preventive
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653	Log Management	Detective
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257	Communicate	Preventive
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249	Communicate	Preventive
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171	Behavior	Preventive
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175	Establish/Maintain Documentation	Preventive
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176	Establish/Maintain Documentation	Preventive
Review the issues of non-compliance from past audit reports. CC ID 01148	Establish/Maintain Documentation	Detective
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872	Business Processes	Preventive
Submit an audit report that is complete. CC ID 01145	Testing	Detective
Accept the audit report. CC ID 07025	Establish/Maintain Documentation	Preventive
Implement a corrective action plan in response to the audit report. CC ID 06777	Establish/Maintain Documentation	Corrective
Assign responsibility for remediation actions. CC ID 13622	Human Resources Management	Preventive
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250	Actionable Reports or Measurements	Corrective
Review management's response to issues raised in past audit reports. CC ID 01149 [The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2 a)]	Audits and Risk Management	Detective
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963	Establish/Maintain Documentation	Preventive
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150	Testing	Detective
Evaluate the competency of auditors. CC ID 15253	Human Resources Management	Detective
Review the audit program scope as it relates to the organization's profile. CC ID 01159	Audits and Risk Management	Detective
Assess the quality of the audit program in regards to its documentation. CC ID 11622	Audits and Risk Management	Preventive
Establish, implement, and maintain the audit plan. CC ID 01156	Testing	Detective
Include the audit criteria in the audit plan. CC ID 15262	Establish/Maintain Documentation	Preventive
Include a list of reference documents in the audit plan. CC ID 15260	Establish/Maintain Documentation	Preventive
Include the languages to be used for the audit in the audit plan. CC ID 15252	Establish/Maintain Documentation	Preventive
Include the allocation of resources in the audit plan. CC ID 15251	Establish/Maintain Documentation	Preventive
Include communication protocols in the audit plan. CC ID 15247	Establish/Maintain Documentation	Preventive
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246	Establish/Maintain Documentation	Preventive
Include meeting schedules in the audit plan. CC ID 15245	Establish/Maintain Documentation	Preventive
Include the time frames for the audit in the audit plan. CC ID 15244	Establish/Maintain Documentation	Preventive
Include the time frames for conducting the audit in the audit plan. CC ID 15243	Establish/Maintain Documentation	Preventive
Include the locations to be audited in the audit plan. CC ID 15242	Establish/Maintain Documentation	Preventive
Include the processes to be audited in the audit plan. CC ID 15241	Establish/Maintain Documentation	Preventive
Include audit objectives in the audit plan. CC ID 15240	Establish/Maintain Documentation	Preventive
Include the risks associated with audit activities in the audit plan. CC ID 15239	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238	Communicate	Preventive
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687 [The organization shall define and apply an information security risk assessment process that: § 6.1.2 ¶ 1]	Establish/Maintain Documentation	Preventive
Address past incidents in the risk assessment program. CC ID 12743	Audits and Risk Management	Preventive
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Human Resources Management	Detective
Include the need for risk assessments in the risk assessment program. CC ID 06447	Establish/Maintain Documentation	Preventive
Include the information flow of restricted data in the risk assessment program. CC ID 12339	Establish/Maintain Documentation	Preventive
Establish and maintain the factors and context for risk to the organization. CC ID 12230	Audits and Risk Management	Preventive
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786	Establish/Maintain Documentation	Preventive
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878	Business Processes	Preventive
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877	Business Processes	Preventive
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903	Business Processes	Preventive
Address cybersecurity risks in the risk assessment program. CC ID 13193	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Process or Activity	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Establish/Maintain Documentation	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Establish/Maintain Documentation	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Establish/Maintain Documentation	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674	Establish/Maintain Documentation	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Communicate	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Establish/Maintain Documentation	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Establish/Maintain Documentation	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635	Establish/Maintain Documentation	Preventive
Use the risk taxonomy when managing risk. CC ID 12280	Behavior	Preventive
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Establish/Maintain Documentation	Preventive
Include compliance requirements in the risk assessment policy. CC ID 14121	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Establish/Maintain Documentation	Preventive
Include management commitment in the risk assessment policy. CC ID 14119	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Establish/Maintain Documentation	Preventive
Include the scope in the risk assessment policy. CC ID 14117	Establish/Maintain Documentation	Preventive
Include the purpose in the risk assessment policy. CC ID 14116	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Communicate	Preventive
Establish, implement, and maintain risk assessment procedures. CC ID 06446	Establish/Maintain Documentation	Preventive
Analyze the organization's information security environment. CC ID 13122	Technical Security	Preventive
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473	Establish/Maintain Documentation	Preventive
Document cybersecurity risks. CC ID 12281	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that align with strategic objectives. CC ID 06474	Establish/Maintain Documentation	Preventive
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Human Resources Management	Preventive
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account information classification. CC ID 06477	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157	Audits and Risk Management	Preventive
Employ risk assessment procedures that take into account the target environment. CC ID 06479	Establish/Maintain Documentation	Preventive
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480	Establish/Maintain Documentation	Preventive
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484	Establish/Maintain Documentation	Preventive
Document organizational risk criteria. CC ID 12277 [The organization shall define and apply an information security risk assessment process that establishes and maintains information security risk criteria that include: § 6.1.2 ¶ 1 a) The organization shall define and apply an information security risk assessment process that: establishes and maintains information security risk criteria that include: criteria for performing information security risk assessments; § 6.1.2 ¶ 1 a) 2)]	Establish/Maintain Documentation	Preventive
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699	Technical Security	Preventive
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056	Investigate	Detective
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443	Audits and Risk Management	Preventive
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [The organization shall define and apply an information security risk assessment process that: identifies the information security risks: § 6.1.2 ¶ 1 c) When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: ensure the information security management system can achieve its intended outcome(s); § 6.1.1 ¶ 1 a) The organization shall define and apply an information security risk assessment process that: identifies the information security risks: apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and § 6.1.2 ¶ 1 c) 1)]	Audits and Risk Management	Preventive
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600	Establish/Maintain Documentation	Preventive
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [The organization shall define and apply an information security risk assessment process that: analyses the information security risks: assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and § 6.1.2 ¶ 1 d) 2)]	Audits and Risk Management	Preventive
Approve the threat and risk classification scheme. CC ID 15693	Business Processes	Preventive
Include language that is easy to understand in the risk assessment report. CC ID 06461	Establish/Maintain Documentation	Preventive
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448	Establish/Maintain Documentation	Preventive
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462	Establish/Maintain Documentation	Preventive
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 [The organization shall define and apply an information security risk assessment process that: identifies the information security risks: identify the risk owners; § 6.1.2 ¶ 1 c) 2)]	Establish/Maintain Documentation	Preventive
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451	Establish/Maintain Documentation	Preventive
Automate as much of the risk assessment program, as necessary. CC ID 06459	Audits and Risk Management	Preventive
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136	Communicate	Preventive
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458	Establish/Maintain Documentation	Preventive
Perform risk assessments for all target environments, as necessary. CC ID 06452 [The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). § 8.2 ¶ 1]	Testing	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Establish/Maintain Documentation	Preventive
Include physical assets in the scope of the risk assessment. CC ID 13075	Establish/Maintain Documentation	Preventive
Include the results of the risk assessment in the risk assessment report. CC ID 06481 [The management review shall include consideration of: results of risk assessment and status of risk treatment plan; and § 9.3 ¶ 2 e)]	Establish/Maintain Documentation	Preventive
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and Risk Management	Preventive
Update the risk assessment upon discovery of a new threat. CC ID 00708 [When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: achieve continual improvement. § 6.1.1 ¶ 1 c)]	Establish/Maintain Documentation	Detective
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and Risk Management	Preventive
Update the risk assessment upon changes to the risk profile. CC ID 11627 [The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). § 8.2 ¶ 1]	Establish/Maintain Documentation	Detective
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and Risk Management	Preventive
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Establish/Maintain Documentation	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695	Establish/Maintain Documentation	Preventive
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Communicate	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and Risk Management	Detective
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Communicate	Preventive
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453	Business Processes	Preventive
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718	Behavior	Preventive
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Investigate	Detective
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and Risk Management	Preventive
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: prevent, or reduce, undesired effects; and § 6.1.1 ¶ 1 b) The organization shall define and apply an information security risk assessment process that: evaluates the information security risks: § 6.1.2 ¶ 1 e) The organization shall define and apply an information security risk assessment process that: analyses the information security risks: assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize; § 6.1.2 ¶ 1 d) 1) The organization shall define and apply an information security risk assessment process that: analyses the information security risks: § 6.1.2 ¶ 1 d)]	Audits and Risk Management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703	Audits and Risk Management	Preventive
Identify the material risks in the risk assessment report. CC ID 06482	Audits and Risk Management	Preventive
Assess the potential level of business impact risk associated with each business process. CC ID 06463	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with the business environment. CC ID 06464	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465	Audits and Risk Management	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Investigate	Detective
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466	Audits and Risk Management	Detective
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. A.12.6.1 Control]	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with external entities. CC ID 06469	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Actionable Reports or Measurements	Detective
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and Risk Management	Detective
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [The organization shall define and apply an information security risk assessment process that establishes and maintains information security risk criteria that include: the risk acceptance criteria; and § 6.1.2 ¶ 1 a) 1) The organization shall define and apply an information security risk assessment process that: analyses the information security risks: determine the levels of risk; § 6.1.2 ¶ 1 d) 3) The organization shall define and apply an information security risk treatment process to: obtain risk owners' approval of the information security risk treatment plan and acceptance of the residual information security risks. § 6.1.3 ¶ 1 f)]	Establish/Maintain Documentation	Preventive
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Investigate	Preventive
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [The organization shall define and apply an information security risk treatment process to: select appropriate information security risk treatment options, taking account of the risk assessment results; § 6.1.3 ¶ 1 a)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Behavior	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [The organization shall define and apply an information security risk treatment process to: compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted; § 6.1.3 ¶ 1 c)]	Establish/Maintain Documentation	Detective
Document the results of the gap analysis. CC ID 16271	Establish/Maintain Documentation	Preventive
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [The organization shall define and apply an information security risk assessment process that: evaluates the information security risks: prioritize the analysed risks for risk treatment. § 6.1.2 ¶ 1 e) 2) The organization shall define and apply an information security risk treatment process to: determine all controls that are necessary to implement the information security risk treatment option(s) chosen; § 6.1.3 ¶ 1 b)]	Audits and Risk Management	Preventive
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Process or Activity	Detective
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Process or Activity	Detective
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and Risk Management	Preventive
Determine the effectiveness of risk control measures. CC ID 06601	Testing	Detective
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946	Audits and Risk Management	Preventive
Establish, implement, and maintain a risk treatment plan. CC ID 11983 [The organization shall define and apply an information security risk treatment process to: formulate an information security risk treatment plan; and § 6.1.3 ¶ 1 e) The organization shall define and apply an information security risk treatment process to: § 6.1.3 ¶ 1 The organization shall implement the information security risk treatment plan. § 8.3 ¶ 1]	Establish/Maintain Documentation	Preventive
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Establish/Maintain Documentation	Preventive
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and Risk Management	Preventive
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835	Audits and Risk Management	Preventive
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834	Audits and Risk Management	Preventive
Include the risk treatment strategy in the risk treatment plan. CC ID 12159	Establish/Maintain Documentation	Preventive
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552	Establish/Maintain Documentation	Corrective
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982	Establish/Maintain Documentation	Preventive
Include change control processes in the risk treatment plan. CC ID 11981	Establish/Maintain Documentation	Preventive
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980	Establish/Maintain Documentation	Preventive
Include the implemented risk management controls in the risk treatment plan. CC ID 11979	Establish/Maintain Documentation	Preventive
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Establish/Maintain Documentation	Preventive
Include risk assessment results in the risk treatment plan. CC ID 11978	Establish/Maintain Documentation	Preventive
Include a description of usage in the risk treatment plan. CC ID 11977	Establish/Maintain Documentation	Preventive
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694	Communicate	Preventive
Approve the risk treatment plan. CC ID 13495 [The organization shall define and apply an information security risk treatment process to: obtain risk owners' approval of the information security risk treatment plan and acceptance of the residual information security risks. § 6.1.3 ¶ 1 f)]	Audits and Risk Management	Preventive
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [The organization shall plan how to integrate and implement the actions into its information security management system processes; and § 6.1.1 ¶ 2 e) 1)]	Establish/Maintain Documentation	Preventive
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. A.12.6.1 Control The organization shall plan: actions to address these risks and opportunities; and § 6.1.1 ¶ 2 d) The management review shall include consideration of: results of risk assessment and status of risk treatment plan; and § 9.3 ¶ 2 e) The organization shall define and apply an information security risk treatment process to: produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A; § 6.1.3 ¶ 1 d)]	Establish/Maintain Documentation	Corrective
Review and approve the risk assessment findings. CC ID 06485	Establish/Maintain Documentation	Preventive

Harmonization Methods and Manual of Style

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Harmonization Methods and Manual of Style CC ID 06095	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain organizational documents. CC ID 16202	Establish/Maintain Documentation	Preventive
Organize all compliance documents. CC ID 06096 [When creating and updating documented information the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and § 7.5.2 ¶ 1 b)]	Establish/Maintain Documentation	Preventive
Organize all compliance documents to fit the message. CC ID 06097	Establish/Maintain Documentation	Preventive
Identify the target audience for compliance documents. CC ID 06108	Establish/Maintain Documentation	Preventive
Define the structure for compliance documents and governance documents. CC ID 06111 [When creating and updating documented information the organization shall ensure appropriate: identification and description (e.g. a title, date, author, or reference number); § 7.5.2 ¶ 1 a)]	Establish/Maintain Documentation	Preventive
Subordinate the structure of the compliance document to fit the topic. CC ID 06109	Establish/Maintain Documentation	Preventive
Define visual and formatting styles for all structured headings. CC ID 06110	Establish/Maintain Documentation	Preventive
Define the section heading style, if section headings are being used. CC ID 06112	Establish/Maintain Documentation	Preventive
Use a table of contents to show sections and headings, if section headings are being used. CC ID 06113	Establish/Maintain Documentation	Preventive
Place the table of contents at the document's beginning. CC ID 06114	Establish/Maintain Documentation	Preventive
Add term definitions to the document's end. CC ID 06115	Establish/Maintain Documentation	Preventive

Human Resources management

158

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Establish Roles	Preventive
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 [Top management shall assign the responsibility and authority for: reporting on the performance of the information security management system to top management. § 5.3 ¶ 2 b)]	Human Resources Management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources Management	Preventive
Identify and define all critical roles. CC ID 00777 [The organization shall determine: who shall monitor and measure; § 9.1 ¶ 2 d)]	Establish Roles	Preventive
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Establish Roles	Preventive
Assign responsibility for cyber threat intelligence. CC ID 12746	Human Resources Management	Preventive
Assign the role of security management to applicable controls. CC ID 06444	Establish Roles	Preventive
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources Management	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources Management	Preventive
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677	Human Resources Management	Preventive
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Communicate	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471	Establish Roles	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources Management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources Management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources Management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Establish Roles	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources Management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Establish Roles	Preventive
Assign the role of Information Technology operations to applicable controls. CC ID 00682	Establish Roles	Preventive
Assign the role of logical access control to applicable controls. CC ID 00772	Establish Roles	Preventive
Assign the role of asset physical security to applicable controls. CC ID 00770	Establish Roles	Preventive
Assign the role of data custodian to applicable controls. CC ID 04789	Establish Roles	Preventive
Assign the role of the Quality Management committee to applicable controls. CC ID 00769	Establish Roles	Preventive
Assign interested personnel to the Quality Management committee. CC ID 07193	Establish Roles	Preventive
Assign the roles and responsibilities for the asset management system. CC ID 14368	Establish/Maintain Documentation	Preventive
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348	Establish Roles	Preventive
Assign the role of fire protection management to applicable controls. CC ID 04891	Establish Roles	Preventive
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894	Establish Roles	Preventive
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895	Establish Roles	Preventive
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723	Establish Roles	Preventive
Establish, implement, and maintain a personnel management program. CC ID 14018	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Establish/Maintain Documentation	Preventive
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The organization shall: ensure that these persons are competent on the basis of appropriate education, training, or experience; § 7.2 ¶ 1 b)]	Testing	Detective
Perform security skills assessments for all critical employees. CC ID 12102	Human Resources Management	Detective
Assign security clearance procedures to qualified personnel. CC ID 06812	Establish Roles	Preventive
Assign personnel screening procedures to qualified personnel. CC ID 11699	Establish Roles	Preventive
Establish, implement, and maintain personnel screening procedures. CC ID 11700	Establish/Maintain Documentation	Preventive
Perform a background check during personnel screening. CC ID 11758 [Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. A.7.1.1 Control]	Human Resources Management	Detective
Perform a personal identification check during personnel screening. CC ID 06721	Human Resources Management	Preventive
Perform a criminal records check during personnel screening. CC ID 06643	Establish/Maintain Documentation	Preventive
Include all residences in the criminal records check. CC ID 13306	Process or Activity	Preventive
Document any reasons a full criminal records check could not be performed. CC ID 13305	Establish/Maintain Documentation	Preventive
Perform a personal references check during personnel screening. CC ID 06645	Human Resources Management	Preventive
Perform a credit check during personnel screening. CC ID 06646	Human Resources Management	Preventive
Perform an academic records check during personnel screening. CC ID 06647	Establish/Maintain Documentation	Preventive
Perform a drug test during personnel screening. CC ID 06648	Testing	Preventive
Perform a resume check during personnel screening. CC ID 06659	Human Resources Management	Preventive
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources Management	Preventive
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources Management	Preventive
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Communicate	Preventive
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources Management	Preventive
Document the personnel risk assessment results. CC ID 11764	Establish/Maintain Documentation	Detective
Establish, implement, and maintain security clearance procedures. CC ID 00783	Establish/Maintain Documentation	Preventive
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources Management	Detective
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources Management	Preventive
Establish and maintain security clearances. CC ID 01634	Human Resources Management	Preventive
Document the security clearance procedure results. CC ID 01635	Establish/Maintain Documentation	Detective
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. A.7.3.1 Control]	Establish/Maintain Documentation	Preventive
Terminate user accounts when notified that an individual is terminated. CC ID 11614	Technical Security	Corrective
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. A.9.2.6 Control]	Technical Security	Corrective
Assign an owner of the personnel status change and termination procedures. CC ID 11805	Human Resources Management	Preventive
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309	Data and Information Management	Corrective
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283	Human Resources Management	Preventive
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677	Behavior	Preventive
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. A.7.3.1 Control]	Communicate	Preventive
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 [Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. A.7.3.1 Control]	Human Resources Management	Preventive
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692	Human Resources Management	Corrective
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Behavior	Preventive
Conduct exit interviews upon termination of employment. CC ID 14290	Human Resources Management	Preventive
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631	Establish/Maintain Documentation	Preventive
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449	Human Resources Management	Detective
Train all personnel and third parties, as necessary. CC ID 00785 [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and § 7.2 ¶ 1 c) {security awareness, training, and education} All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. A.7.2.2 Control]	Behavior	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671	Business Processes	Preventive
Support certification programs as viable training programs. CC ID 13268	Human Resources Management	Preventive
Include evidence of experience in applications for professional certification. CC ID 16193	Establish/Maintain Documentation	Preventive
Include supporting documentation in applications for professional certification. CC ID 16195	Establish/Maintain Documentation	Preventive
Submit applications for professional certification. CC ID 16192	Training	Preventive
Retrain all personnel, as necessary. CC ID 01362 [{security awareness, training, and education} All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. A.7.2.2 Control]	Behavior	Preventive
Tailor training to meet published guidance on the subject being taught. CC ID 02217	Behavior	Preventive
Tailor training to be taught at each person's level of responsibility. CC ID 06674	Behavior	Preventive
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Behavior	Preventive
Document all training in a training record. CC ID 01423 [The organization shall: retain appropriate documented information as evidence of competence. § 7.2 ¶ 1 d)]	Establish/Maintain Documentation	Detective
Use automated mechanisms in the training environment, where appropriate. CC ID 06752	Behavior	Preventive
Conduct tests and evaluate training. CC ID 06672 [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and § 7.2 ¶ 1 c)]	Testing	Detective
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources Management	Preventive
Review the current published guidance and awareness and training programs. CC ID 01245	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain training plans. CC ID 00828	Establish/Maintain Documentation	Preventive
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383	Training	Detective
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387	Training	Preventive
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386	Training	Preventive
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385	Training	Detective
Develop or acquire content to update the training plans. CC ID 12867	Training	Preventive
Designate training facilities in the training plan. CC ID 16200	Training	Preventive
Include portions of the visitor control program in the training plan. CC ID 13287	Establish/Maintain Documentation	Preventive
Include ethical culture in the training plan, as necessary. CC ID 12801	Human Resources Management	Preventive
Include in scope external requirements in the training plan, as necessary. CC ID 13041	Training	Preventive
Include duties and responsibilities in the training plan, as necessary. CC ID 12800	Human Resources Management	Preventive
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192	Training	Preventive
Include risk management in the training plan, as necessary. CC ID 13040	Training	Preventive
Conduct Archives and Records Management training. CC ID 00975	Behavior	Preventive
Conduct personal data processing training. CC ID 13757	Training	Preventive
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758	Training	Preventive
Include the cloud service usage standard in the training plan. CC ID 13039	Training	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Establish/Maintain Documentation	Preventive
Include compliance requirements in the security awareness and training policy. CC ID 14092	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Communicate	Preventive
Include management commitment in the security awareness and training policy. CC ID 14049	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Establish/Maintain Documentation	Preventive
Include the scope in the security awareness and training policy. CC ID 14047	Establish/Maintain Documentation	Preventive
Include the purpose in the security awareness and training policy. CC ID 14045	Establish/Maintain Documentation	Preventive
Include configuration management procedures in the security awareness program. CC ID 13967	Establish/Maintain Documentation	Preventive
Include media protection in the security awareness program. CC ID 16368	Training	Preventive
Document security awareness requirements. CC ID 12146	Establish/Maintain Documentation	Preventive
Include safeguards for information systems in the security awareness program. CC ID 13046	Establish/Maintain Documentation	Preventive
Include security policies and security standards in the security awareness program. CC ID 13045	Establish/Maintain Documentation	Preventive
Include physical security in the security awareness program. CC ID 16369	Training	Preventive
Include mobile device security guidelines in the security awareness program. CC ID 11803	Establish/Maintain Documentation	Preventive
Include updates on emerging issues in the security awareness program. CC ID 13184	Training	Preventive
Include cybersecurity in the security awareness program. CC ID 13183	Training	Preventive
Include implications of non-compliance in the security awareness program. CC ID 16425	Training	Preventive
Include the acceptable use policy in the security awareness program. CC ID 15487	Training	Preventive
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802	Establish/Maintain Documentation	Preventive
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800	Establish/Maintain Documentation	Preventive
Include remote access in the security awareness program. CC ID 13892	Establish/Maintain Documentation	Preventive
Document the goals of the security awareness program. CC ID 12145	Establish/Maintain Documentation	Preventive
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Establish/Maintain Documentation	Preventive
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151	Human Resources Management	Preventive
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources Management	Preventive
Document the scope of the security awareness program. CC ID 12148	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Establish/Maintain Documentation	Preventive
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources Management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [Persons doing work under the organization's control shall be aware of: their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and § 7.3 ¶ 1 b)]	Behavior	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services. A.16.1.3 Control]	Behavior	Preventive
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Training	Preventive
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 [Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. A.7.2.1 Control Persons doing work under the organization's control shall be aware of: the implications of not conforming with the information security management system requirements. § 7.3 ¶ 1 c)]	Establish/Maintain Documentation	Preventive
Monitor and measure the effectiveness of security awareness. CC ID 06262	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200	Establish/Maintain Documentation	Preventive
Conduct secure coding and development training for developers. CC ID 06822	Behavior	Corrective
Conduct tampering prevention training. CC ID 11875	Training	Preventive
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877	Training	Preventive
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876	Training	Preventive
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879	Training	Preventive
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878	Training	Preventive
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990	Training	Preventive
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658	Training	Preventive
Conduct crime prevention training. CC ID 06350	Behavior	Preventive
Analyze and evaluate training records to improve the training program. CC ID 06380	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain a Code of Conduct. CC ID 04897	Establish/Maintain Documentation	Preventive
Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 [The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security. A.7.1.2 Control]	Human Resources Management	Preventive
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [{implement} There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. A.7.2.3 Control]	Behavior	Corrective
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632	Communicate	Preventive
Establish, implement, and maintain performance reviews. CC ID 14777	Business Processes	Detective
Conduct staff performance reviews, as necessary. CC ID 07205 [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its information security performance; § 7.2 ¶ 1 a)]	Business Processes	Detective
Analyze the documentation produced by staff during the performance review. CC ID 07207	Establish/Maintain Documentation	Detective

Leadership and high level objectives

317

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Business Processes	Preventive
Establish, implement, and maintain communication protocols. CC ID 12245 [{internal communications} The organization shall determine the need for internal and external communications relevant to the information security management system including: § 7.4 ¶ 1 {internal communications} The organization shall determine the need for internal and external communications relevant to the information security management system including: on what to communicate; § 7.4 ¶ 1 a) {internal communications}The organization shall determine the need for internal and external communications relevant to the information security management system including: when to communicate; § 7.4 ¶ 1 b) {internal communications} The organization shall determine the need for internal and external communications relevant to the information security management system including: with whom to communicate; § 7.4 ¶ 1 c) {internal communications} The organization shall determine the need for internal and external communications relevant to the information security management system including: who shall communicate; and § 7.4 ¶ 1 d)]	Establish/Maintain Documentation	Preventive
Use secure communication protocols for telecommunications. CC ID 16458	Business Processes	Preventive
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419	Establish/Maintain Documentation	Preventive
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691	Process or Activity	Detective
Include external requirements in the organization's communication protocol. CC ID 12418	Establish/Maintain Documentation	Preventive
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824	Communicate	Preventive
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677	Process or Activity	Preventive
Identify barriers to stakeholder engagement. CC ID 15676	Process or Activity	Preventive
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672	Communicate	Preventive
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804	Communicate	Preventive
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856	Process or Activity	Preventive
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803	Communicate	Preventive
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802	Communicate	Preventive
Route notifications, as necessary. CC ID 12832	Process or Activity	Preventive
Substantiate notifications, as necessary. CC ID 12831	Process or Activity	Preventive
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860	Business Processes	Preventive
Prioritize notifications, as necessary. CC ID 12830	Process or Activity	Preventive
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797	Actionable Reports or Measurements	Preventive
Disseminate and communicate internal controls with supply chain members. CC ID 12416	Communicate	Preventive
Establish and maintain the organization's survey method. CC ID 12869	Process or Activity	Preventive
Document the findings from surveys. CC ID 16309	Establish/Maintain Documentation	Preventive
Provide a consolidated view of information in the organization's survey method. CC ID 12894	Process or Activity	Preventive
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406	Establish/Maintain Documentation	Preventive
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of performance variances in the notification system. CC ID 12929	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of account activity in the notification system. CC ID 15314	Monitor and Evaluate Occurrences	Preventive
Analyze organizational objectives, functions, and activities. CC ID 00598 [Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring that the information security management system achieves its intended outcome(s); § 5.1 ¶ 1 e) When planning how to achieve its information security objectives, the organization shall determine: how the results will be evaluated. § 6.2 ¶ 4 j)]	Monitor and Evaluate Occurrences	Preventive
Develop instructions for setting organizational objectives and strategies. CC ID 12931	Establish/Maintain Documentation	Preventive
Analyze the business environment in which the organization operates. CC ID 12798	Business Processes	Preventive
Identify the internal factors that may affect organizational objectives. CC ID 12957	Process or Activity	Preventive
Include key processes in the analysis of the internal business environment. CC ID 12947	Process or Activity	Preventive
Include existing information in the analysis of the internal business environment. CC ID 12943	Process or Activity	Preventive
Include resources in the analysis of the internal business environment. CC ID 12942	Process or Activity	Preventive
Include the operating plan in the analysis of the internal business environment. CC ID 12941	Process or Activity	Preventive
Include incentives in the analysis of the internal business environment. CC ID 12940	Process or Activity	Preventive
Include organizational structures in the analysis of the internal business environment. CC ID 12939	Process or Activity	Preventive
Include the strategic plan in the analysis of the internal business environment. CC ID 12937	Process or Activity	Preventive
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936	Process or Activity	Preventive
Align assets with business functions and the business environment. CC ID 13681	Business Processes	Preventive
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200	Communicate	Preventive
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863	Monitor and Evaluate Occurrences	Preventive
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862	Monitor and Evaluate Occurrences	Preventive
Analyze the external environment in which the organization operates. CC ID 12799	Business Processes	Preventive
Identify the external forces that may affect organizational objectives. CC ID 12960	Process or Activity	Preventive
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880	Monitor and Evaluate Occurrences	Preventive
Include environmental requirements in the analysis of the external environment. CC ID 12965	Business Processes	Preventive
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879	Monitor and Evaluate Occurrences	Preventive
Include regulatory requirements in the analysis of the external environment. CC ID 12964	Business Processes	Preventive
Include society in the analysis of the external environment. CC ID 12963	Business Processes	Preventive
Include opportunities in the analysis of the external environment. CC ID 12954	Business Processes	Preventive
Include third party relationships in the analysis of the external environment. CC ID 12952	Business Processes	Preventive
Include industry forces in the analysis of the external environment. CC ID 12904	Business Processes	Preventive
Include threats in the analysis of the external environment. CC ID 12898	Business Processes	Preventive
Include geopolitics in the analysis of the external environment. CC ID 12897	Business Processes	Preventive
Include legal requirements in the analysis of the external environment. CC ID 12896	Business Processes	Preventive
Include technology in the analysis of the external environment. CC ID 12837	Business Processes	Preventive
Include analyzing the market in the analysis of the external environment. CC ID 12836	Business Processes	Preventive
Conduct a context analysis to define objectives and strategies. CC ID 12864	Business Processes	Preventive
Establish, implement, and maintain organizational objectives. CC ID 09959 [The organization shall establish information security objectives at relevant functions and levels. § 6.2 ¶ 1 The information security objectives shall: be consistent with the information security policy; § 6.2 ¶ 2 a) When planning how to achieve its information security objectives, the organization shall determine: when it will be completed; and § 6.2 ¶ 4 i) Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1 a) The information security objectives shall: be updated as appropriate. § 6.2 ¶ 2 e) {risk assessment result} {information security risk treatment result} The information security objectives shall: take into account applicable information security requirements, and results from risk assessment and risk treatment; § 6.2 ¶ 2 c)]	Establish/Maintain Documentation	Preventive
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814	Process or Activity	Preventive
Identify events that may affect organizational objectives. CC ID 12961	Process or Activity	Preventive
Identify conditions that may affect organizational objectives. CC ID 12958	Process or Activity	Preventive
Identify requirements that could affect achieving organizational objectives. CC ID 12828	Business Processes	Preventive
Identify opportunities that could affect achieving organizational objectives. CC ID 12826	Business Processes	Preventive
Prioritize organizational objectives. CC ID 09960 [When planning how to achieve its information security objectives, the organization shall determine: what will be done; § 6.2 ¶ 4 f)]	Business Processes	Preventive
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400	Business Processes	Preventive
Establish, implement, and maintain a value generation model. CC ID 15591	Establish/Maintain Documentation	Preventive
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Communicate	Preventive
Include value distribution in the value generation model. CC ID 15603	Establish/Maintain Documentation	Preventive
Include value retention in the value generation model. CC ID 15600	Establish/Maintain Documentation	Preventive
Include value generation procedures in the value generation model. CC ID 15599	Establish/Maintain Documentation	Preventive
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15597	Communicate	Preventive
Establish, implement, and maintain value generation objectives. CC ID 15583	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain social responsibility objectives. CC ID 15611	Establish/Maintain Documentation	Preventive
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783	Establish/Maintain Documentation	Preventive
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839	Establish/Maintain Documentation	Preventive
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838	Establish/Maintain Documentation	Preventive
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808	Establish/Maintain Documentation	Preventive
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807	Establish/Maintain Documentation	Preventive
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590	Establish/Maintain Documentation	Preventive
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605	Establish/Maintain Documentation	Preventive
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585	Communicate	Preventive
Disseminate and communicate organizational objectives to all interested personnel and affected parties. CC ID 13191 [The information security objectives shall: be communicated; and § 6.2 ¶ 2 d)]	Communicate	Preventive
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398	Establish/Maintain Documentation	Preventive
Identify threats that could affect achieving organizational objectives. CC ID 12827	Business Processes	Preventive
Identify how opportunities, threats, and external requirements are trending. CC ID 12829	Process or Activity	Preventive
Identify relationships between opportunities, threats, and external requirements. CC ID 12805	Process or Activity	Preventive
Review the organization's approach to managing information security, as necessary. CC ID 12005 [The organization’s approach to managing information security and Independent review of its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur. A.18.2.1 Control The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. § 8.1 ¶ 1]	Business Processes	Preventive
Identify all interested personnel and affected parties. CC ID 12845 [The organization shall determine: {relevant interested parties} interested parties that are relevant to the information security management system; and § 4.2 ¶ 1 a)]	Process or Activity	Detective
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584	Process or Activity	Preventive
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [The organization shall determine: the requirements of these interested parties relevant to information security. § 4.2 ¶ 1 b)]	Business Processes	Preventive
Establish, implement, and maintain data governance and management practices. CC ID 14998	Establish/Maintain Documentation	Preventive
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087	Establish/Maintain Documentation	Preventive
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086	Establish/Maintain Documentation	Preventive
Include bias for data sets in the data governance and management practices. CC ID 15085	Establish/Maintain Documentation	Preventive
Include a data strategy in the data governance and management practices. CC ID 15304	Establish/Maintain Documentation	Preventive
Include data monitoring in the data governance and management practices. CC ID 15303	Establish/Maintain Documentation	Preventive
Include an assessment of the data sets in the data governance and management practices. CC ID 15084	Establish/Maintain Documentation	Preventive
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083	Establish/Maintain Documentation	Preventive
Include data collection for data sets in the data governance and management practices. CC ID 15082	Establish/Maintain Documentation	Preventive
Include data preparations for data sets in the data governance and management practices. CC ID 15081	Establish/Maintain Documentation	Preventive
Include design choices for data sets in the data governance and management practices. CC ID 15080	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information classification standard. CC ID 00601	Establish/Maintain Documentation	Preventive
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787	Data and Information Management	Preventive
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786	Data and Information Management	Preventive
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785	Data and Information Management	Preventive
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784	Data and Information Management	Preventive
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 [Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. A.8.2.1 Control]	Data and Information Management	Preventive
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783	Data and Information Management	Preventive
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 [Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. A.8.2.1 Control]	Data and Information Management	Preventive
Classify the value of information in the information classification standard. CC ID 11995 [Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. A.8.2.1 Control]	Data and Information Management	Preventive
Classify the legal requirements of information in the information classification standard. CC ID 11994 [Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. A.8.2.1 Control]	Data and Information Management	Preventive
Establish, implement, and maintain a data classification scheme. CC ID 11628	Establish/Maintain Documentation	Preventive
Take into account the characteristics of the geographical, behavioural and functional setting for all datasets. CC ID 15046	Data and Information Management	Preventive
Approve the data classification scheme. CC ID 13858	Establish/Maintain Documentation	Detective
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600	Establish/Maintain Documentation	Preventive
Refrain from including metadata in the data dictionary. CC ID 13529	Establish/Maintain Documentation	Preventive
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624	Establish/Maintain Documentation	Preventive
Include information needed to understand each data element and population in the data dictionary. CC ID 13528	Establish/Maintain Documentation	Preventive
Ensure the data dictionary is complete and accurate. CC ID 13527	Investigate	Detective
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525	Establish/Maintain Documentation	Preventive
Include the date or time period the data was observed in the data dictionary. CC ID 13524	Establish/Maintain Documentation	Preventive
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522	Establish/Maintain Documentation	Preventive
Include the uncertainty of each data element in the data dictionary. CC ID 13521	Establish/Maintain Documentation	Preventive
Include the measurement units for each data element in the data dictionary. CC ID 13534	Establish/Maintain Documentation	Preventive
Include the precision of the measurement in the data dictionary. CC ID 13520	Establish/Maintain Documentation	Preventive
Include the data source in the data dictionary. CC ID 13519	Establish/Maintain Documentation	Preventive
Include the nature of each element in the data dictionary. CC ID 13518	Establish/Maintain Documentation	Preventive
Include the population of events or instances in the data dictionary. CC ID 13517	Establish/Maintain Documentation	Preventive
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516	Communicate	Preventive
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603	Establish/Maintain Documentation	Preventive
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486	Behavior	Preventive
Establish, implement, and maintain an organizational structure. CC ID 16310	Establish/Maintain Documentation	Preventive
Monitor regulatory trends to maintain compliance. CC ID 00604	Monitor and Evaluate Occurrences	Detective
Monitor for new Information Security solutions. CC ID 07078	Monitor and Evaluate Occurrences	Detective
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135	Technical Security	Detective
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185	Communicate	Preventive
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191	Communicate	Corrective
Establish, implement, and maintain a Quality Management framework. CC ID 07196	Establish/Maintain Documentation	Preventive
Include supply chain management standards in the Quality Management framework. CC ID 13701	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Quality Management policy. CC ID 13694	Establish/Maintain Documentation	Preventive
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700	Establish/Maintain Documentation	Preventive
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699	Establish/Maintain Documentation	Preventive
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698	Establish/Maintain Documentation	Preventive
Include critical Information Technology processes in the Quality Management framework. CC ID 13645	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695	Communicate	Preventive
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680	Communicate	Preventive
Align the quality objectives with the Quality Management policy. CC ID 13697	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Quality Management standard. CC ID 01006	Establish/Maintain Documentation	Preventive
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200	Establish/Maintain Documentation	Preventive
Enforce a continuous Quality Control system. CC ID 01005	Business Processes	Detective
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008	Testing	Detective
Establish, implement, and maintain a Quality Management program. CC ID 07201	Establish/Maintain Documentation	Preventive
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045	Communicate	Preventive
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036	Communicate	Preventive
Correct errors and deficiencies in a timely manner. CC ID 13501	Business Processes	Corrective
Include quality objectives in the Quality Management program. CC ID 13693	Establish/Maintain Documentation	Preventive
Include records management in the quality management system. CC ID 15055	Establish/Maintain Documentation	Preventive
Include risk management in the quality management system. CC ID 15054	Establish/Maintain Documentation	Preventive
Include data management procedures in the quality management system. CC ID 15052	Establish/Maintain Documentation	Preventive
Include a post-market monitoring system in the quality management system. CC ID 15027	Establish/Maintain Documentation	Preventive
Include operational roles and responsibilities in the quality management system. CC ID 15028	Establish/Maintain Documentation	Preventive
Include quality gates and testing milestones in the Quality Management program. CC ID 06825	Systems Design, Build, and Implementation	Preventive
Include resource management in the quality management system. CC ID 15026	Establish/Maintain Documentation	Preventive
Include communication protocols in the quality management system. CC ID 15025	Establish/Maintain Documentation	Preventive
Include incident reporting procedures in the quality management system. CC ID 15023	Establish/Maintain Documentation	Preventive
Include technical specifications in the quality management system. CC ID 15021	Establish/Maintain Documentation	Preventive
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203	Establish/Maintain Documentation	Preventive
Include program documentation standards in the Quality Management program. CC ID 01016	Establish/Maintain Documentation	Preventive
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206	Business Processes	Detective
Include program testing standards in the Quality Management program. CC ID 01017	Establish/Maintain Documentation	Preventive
Review and analyze any quality improvement goals that were missed. CC ID 07204	Business Processes	Detective
Include system testing standards in the Quality Management program. CC ID 01018	Establish/Maintain Documentation	Preventive
Include an issue tracking system in the Quality Management program. CC ID 06824	Systems Design, Build, and Implementation	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [{information security management system} The scope shall be available as documented information. § 4.3 ¶ 3 The organization shall determine the boundaries and applicability of the information security management system to establish its scope. § 4.3 ¶ 1 When determining this scope, the organization shall consider: the external and internal issues referred to in 4.1; § 4.3 ¶ 2 a) When determining this scope, the organization shall consider: the requirements referred to in 4.2; and § 4.3 ¶ 2 b) When determining this scope, the organization shall consider: interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. § 4.3 ¶ 2 c)]	Establish/Maintain Documentation	Preventive
Define the scope of the security policy. CC ID 07145	Data and Information Management	Preventive
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. A.8.1.1 Control The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. § 4.1 ¶ 1 All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. A.18.1.1 Control]	Business Processes	Preventive
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608	Establish/Maintain Documentation	Preventive
Correlate Information Systems with applicable controls. CC ID 01621	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. § 8.1 ¶ 1 Documented information required by the information security management system and by this International Standard shall be controlled to ensure: § 7.5.3 ¶ 1]	Establish/Maintain Documentation	Preventive
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [{integrate} Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring the integration of the information security management system requirements into the organization's processes; § 5.1 ¶ 1 b)]	Establish/Maintain Documentation	Preventive
Include the effective date on all organizational policies. CC ID 06820	Establish/Maintain Documentation	Preventive
Include threats in the organization’s policies, standards, and procedures. CC ID 12953	Establish/Maintain Documentation	Preventive
Analyze organizational policies, as necessary. CC ID 14037	Establish/Maintain Documentation	Detective
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824	Business Processes	Preventive
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945	Establish/Maintain Documentation	Preventive
Establish and maintain an Authority Document list. CC ID 07113 [All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. A.18.1.1 Control]	Establish/Maintain Documentation	Preventive
Map in scope assets and in scope records to external requirements. CC ID 12189	Establish/Maintain Documentation	Detective
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 c)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 [Documented information required by the information security management system and by this International Standard shall be controlled to ensure: it is available and suitable for use, where and when it is needed; and § 7.5.3 ¶ 1 a)]	Communicate	Preventive
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312	Establish/Maintain Documentation	Preventive
Classify controls according to their preventive, detective, or corrective status. CC ID 06436	Establish/Maintain Documentation	Preventive
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727	Establish/Maintain Documentation	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Establish/Maintain Documentation	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Establish/Maintain Documentation	Corrective
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the Statement on Internal Control CC ID 14774	Establish/Maintain Documentation	Preventive
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Establish/Maintain Documentation	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Establish/Maintain Documentation	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Establish/Maintain Documentation	Preventive
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Establish/Maintain Documentation	Detective
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956	Establish Roles	Preventive
Approve all compliance documents. CC ID 06286	Establish/Maintain Documentation	Preventive
Align the Authority Document list with external requirements. CC ID 06288	Establish/Maintain Documentation	Preventive
Assign the appropriate roles to all applicable compliance documents. CC ID 06284	Establish Roles	Preventive
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a compliance exception standard. CC ID 01628	Establish/Maintain Documentation	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Establish/Maintain Documentation	Preventive
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Establish/Maintain Documentation	Detective
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631	Establish/Maintain Documentation	Preventive
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Business Processes	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Establish/Maintain Documentation	Preventive
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Establish Roles	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Establish/Maintain Documentation	Preventive
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282	Behavior	Preventive
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283	Behavior	Preventive
Estimate the costs of implementing the compliance framework. CC ID 07191	Business Processes	Preventive
Define the Information Assurance strategic roles and responsibilities. CC ID 00608	Establish Roles	Preventive
Establish and maintain a compliance oversight committee. CC ID 00765	Establish Roles	Detective
Address Information Security during the business planning processes. CC ID 06495 [Information security shall be addressed in project management, regardless of the type of the project. A.6.1.5 Control Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1 a)]	Data and Information Management	Preventive
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a strategic plan. CC ID 12784 [Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1 a)]	Establish/Maintain Documentation	Preventive
Determine progress toward the objectives of the strategic plan. CC ID 12944	Process or Activity	Preventive
Include acting with integrity in the strategic plan. CC ID 12870	Establish/Maintain Documentation	Preventive
Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592	Communicate	Preventive
Include the outsource partners in the strategic plan, as necessary. CC ID 13960	Establish/Maintain Documentation	Preventive
Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a planning policy. CC ID 14673	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain planning procedures. CC ID 14698	Establish/Maintain Documentation	Preventive
Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704	Communicate	Preventive
Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691	Communicate	Preventive
Include compliance requirements in the planning policy. CC ID 14688	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the planning policy. CC ID 14687	Establish/Maintain Documentation	Preventive
Include management commitment in the planning policy. CC ID 14686	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the planning policy. CC ID 14685	Establish/Maintain Documentation	Preventive
Include the scope in the planning policy. CC ID 14684	Establish/Maintain Documentation	Preventive
Include the purpose in the planning policy. CC ID 14683	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security planning policy. CC ID 14027	Establish/Maintain Documentation	Preventive
Include compliance requirements in the security planning policy. CC ID 14131	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the security planning policy. CC ID 14130	Establish/Maintain Documentation	Preventive
Include management commitment in the security planning policy. CC ID 14129	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security planning policy. CC ID 14128	Establish/Maintain Documentation	Preventive
Include the scope in the security planning policy. CC ID 14127	Establish/Maintain Documentation	Preventive
Include the purpose in the security planning policy. CC ID 14126	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125	Communicate	Preventive
Establish, implement, and maintain security planning procedures. CC ID 14060	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135	Communicate	Preventive
Establish, implement, and maintain a decision management strategy. CC ID 06913	Establish/Maintain Documentation	Preventive
Align the reporting methodology with the decision management strategy. CC ID 15659	Business Processes	Preventive
Include an economic impact analysis in the decision management strategy. CC ID 14015	Establish/Maintain Documentation	Preventive
Include cost benefit analysis in the decision management strategy. CC ID 14014	Establish/Maintain Documentation	Preventive
Include criteria for compliance in the decision making criteria. CC ID 12951	Establish/Maintain Documentation	Preventive
Include criteria for risk tolerance in the decision making criteria. CC ID 12950	Establish/Maintain Documentation	Preventive
Include criteria for selecting objectives and strategies in the decision making criteria. CC ID 12949	Establish/Maintain Documentation	Preventive
Include criteria for setting priorities in the decision making criteria. CC ID 12938	Establish/Maintain Documentation	Preventive
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847	Process or Activity	Preventive
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843	Process or Activity	Preventive
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841	Process or Activity	Preventive
Identify and document the events that initiate the decision management strategy. CC ID 06914	Establish/Maintain Documentation	Detective
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948	Process or Activity	Preventive
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915	Behavior	Preventive
Take actions in accordance with the decision-making criteria. CC ID 12909	Process or Activity	Preventive
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918	Establish/Maintain Documentation	Preventive
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991	Communicate	Preventive
Establish, implement, and maintain an information technology process framework. CC ID 13648	Establish/Maintain Documentation	Preventive
Include maturity models in the Information Technology process framework. CC ID 13652	Establish/Maintain Documentation	Preventive
Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651	Establish/Maintain Documentation	Preventive
Include Information Technology process structures in the Information Technology process framework. CC ID 13650	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a tactical plan. CC ID 12785	Establish/Maintain Documentation	Preventive
Include acting with integrity in the tactical plan. CC ID 12871	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628	Establish/Maintain Documentation	Preventive
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496	Establish/Maintain Documentation	Preventive
Align business continuity objectives with the business continuity policy. CC ID 12408	Establish/Maintain Documentation	Preventive
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631	Business Processes	Corrective
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630	Business Processes	Preventive
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491	Establish/Maintain Documentation	Preventive
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609	Establish/Maintain Documentation	Preventive
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497	Establish/Maintain Documentation	Preventive
Document the business case and return on investment in each Information Technology project plan. CC ID 06846	Establish/Maintain Documentation	Preventive
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848	Business Processes	Preventive
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916	Establish/Maintain Documentation	Preventive
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917	Establish/Maintain Documentation	Preventive
Assign senior management to approve business cases. CC ID 13068	Human Resources Management	Preventive
Include milestones for each project phase in the Information Technology project plan. CC ID 12621	Establish/Maintain Documentation	Preventive
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862	Establish/Maintain Documentation	Preventive
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863	Establish/Maintain Documentation	Preventive
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864	Establish/Maintain Documentation	Preventive
Include a search plan in the counterterror protective security plan. CC ID 06865	Establish/Maintain Documentation	Preventive
Include an evacuation plan in the counterterror protective security plan. CC ID 06940	Establish/Maintain Documentation	Preventive
Include a continuity plan in the counterterror protective security plan. CC ID 07031	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633	Establish/Maintain Documentation	Preventive
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634	Monitor and Evaluate Occurrences	Detective
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans CC ID 06839	Actionable Reports or Measurements	Preventive
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840	Actionable Reports or Measurements	Preventive
Include significant security risks in the Information Technology Plan status reports. CC ID 06939	Actionable Reports or Measurements	Preventive
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279	Establish/Maintain Documentation	Preventive
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053	Establish/Maintain Documentation	Preventive
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055	Human Resources Management	Preventive
Include the transparency goals in the Information Governance Plan. CC ID 10056	Establish/Maintain Documentation	Preventive
Include the information integrity goals in the Information Governance Plan. CC ID 10057	Establish/Maintain Documentation	Preventive
Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094	Human Resources Management	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492	Business Processes	Preventive
Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 [Top management shall demonstrate leadership and commitment with respect to the information security management system by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1 h)]	Behavior	Preventive

Monitoring and measurement

322

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 [Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. A.12.4.1 Control]	Log Management	Detective
Establish, implement, and maintain an audit and accountability policy. CC ID 14035	Establish/Maintain Documentation	Preventive
Include compliance requirements in the audit and accountability policy. CC ID 14103	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the audit and accountability policy. CC ID 14102	Establish/Maintain Documentation	Preventive
Include the purpose in the audit and accountability policy. CC ID 14100	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the audit and accountability policy. CC ID 14098	Establish/Maintain Documentation	Preventive
Include management commitment in the audit and accountability policy. CC ID 14097	Establish/Maintain Documentation	Preventive
Include the scope in the audit and accountability policy. CC ID 14096	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095	Communicate	Preventive
Establish, implement, and maintain audit and accountability procedures. CC ID 14057	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137	Communicate	Preventive
Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. A.12.4.1 Control]	Log Management	Preventive
Review and approve the use of continuous security management systems. CC ID 13181	Process or Activity	Preventive
Protect continuous security management systems from unauthorized use. CC ID 13097	Configuration	Preventive
Monitor and evaluate system telemetry data. CC ID 14929	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169	Establish/Maintain Documentation	Preventive
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581	Configuration	Preventive
Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035	Behavior	Preventive
Do not intercept communications of any kind when providing a service to clients. CC ID 09985	Behavior	Preventive
Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582	Technical Security	Detective
Monitor systems for inappropriate usage and other security violations. CC ID 00585	Monitor and Evaluate Occurrences	Detective
Monitor systems for blended attacks and multiple component incidents. CC ID 01225	Monitor and Evaluate Occurrences	Detective
Monitor systems for Denial of Service attacks. CC ID 01222	Monitor and Evaluate Occurrences	Detective
Monitor systems for unauthorized data transfers. CC ID 12971	Monitor and Evaluate Occurrences	Preventive
Address operational anomalies within the incident management system. CC ID 11633	Audits and Risk Management	Preventive
Monitor systems for access to restricted data or restricted information. CC ID 04721	Monitor and Evaluate Occurrences	Detective
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950	Human Resources Management	Detective
Detect unauthorized access to systems. CC ID 06798	Monitor and Evaluate Occurrences	Detective
Incorporate potential red flags into the organization's incident management system. CC ID 04652	Monitor and Evaluate Occurrences	Detective
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634	Audits and Risk Management	Preventive
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430	Monitor and Evaluate Occurrences	Detective
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808	Monitor and Evaluate Occurrences	Detective
Monitor systems for unauthorized mobile code. CC ID 10034	Monitor and Evaluate Occurrences	Preventive
Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653	Technical Security	Preventive
Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658	Technical Security	Preventive
Implement detonation chambers, where appropriate. CC ID 10670	Technical Security	Preventive
Define and assign log management roles and responsibilities. CC ID 06311 [{monitoring and measurement result} The organization shall determine: who shall analyse and evaluate these results. § 9.1 ¶ 2 f)]	Establish Roles	Preventive
Document and communicate the log locations to the owning entity. CC ID 12047	Log Management	Preventive
Make logs available for review by the owning entity. CC ID 12046	Log Management	Preventive
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638	Log Management	Detective
Establish, implement, and maintain an event logging policy. CC ID 15217	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain event logging procedures. CC ID 01335	Log Management	Detective
Include the system components that generate audit records in the event logging procedures. CC ID 16426	Data and Information Management	Preventive
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated; and § 9.1 ¶ 2 e)]	Log Management	Preventive
Protect the event logs from failure. CC ID 06290	Log Management	Preventive
Overwrite the oldest records when audit logging fails. CC ID 14308	Data and Information Management	Preventive
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427	Testing	Preventive
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774	Establish/Maintain Documentation	Corrective
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424	Audits and Risk Management	Preventive
Review and update event logs and audit logs, as necessary. CC ID 00596 [Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. A.12.4.1 Control System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. A.12.4.3 Control]	Log Management	Detective
Eliminate false positives in event logs and audit logs. CC ID 07047	Log Management	Corrective
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Log Management	Detective
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Technical Security	Detective
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925	Investigate	Corrective
Reproduce the event log if a log failure is captured. CC ID 01426	Log Management	Preventive
Document the event information to be logged in the event information log specification. CC ID 00639	Configuration	Preventive
Enable logging for all systems that meet a traceability criteria. CC ID 00640	Log Management	Detective
Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001	Configuration	Preventive
Enable and configure logging on all network access controls. CC ID 01963	Configuration	Preventive
Analyze firewall logs for the correct capturing of data. CC ID 00549	Log Management	Detective
Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source. A.12.4.4 Control]	Configuration	Preventive
Centralize network time servers to as few as practical. CC ID 06308	Configuration	Preventive
Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044	Communicate	Preventive
Define the frequency to capture and log events. CC ID 06313	Log Management	Preventive
Include logging frequencies in the event logging procedures. CC ID 00642	Log Management	Preventive
Review and update the list of auditable events in the event logging procedures. CC ID 10097	Establish/Maintain Documentation	Preventive
Monitor and evaluate system performance. CC ID 00651 [The management review shall include consideration of: feedback on the information security performance, including trends in: § 9.3 ¶ 2 c)]	Monitor and Evaluate Occurrences	Detective
Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156	Communicate	Preventive
Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155	Communicate	Preventive
Monitor for and react to when suspicious activities are detected. CC ID 00586 [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: § 10.1 ¶ 1 a)]	Monitor and Evaluate Occurrences	Detective
Erase payment applications when suspicious activity is confirmed. CC ID 12193	Technical Security	Corrective
Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741	Establish/Maintain Documentation	Corrective
Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727	Monitor and Evaluate Occurrences	Corrective
Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728	Monitor and Evaluate Occurrences	Corrective
Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740	Monitor and Evaluate Occurrences	Corrective
Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729	Monitor and Evaluate Occurrences	Corrective
Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742	Monitor and Evaluate Occurrences	Corrective
Establish, implement, and maintain network monitoring operations. CC ID 16444	Monitor and Evaluate Occurrences	Preventive
Monitor and evaluate the effectiveness of detection tools. CC ID 13505	Investigate	Detective
Monitor and review retail payment activities, as necessary. CC ID 13541	Monitor and Evaluate Occurrences	Detective
Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546	Investigate	Detective
Review retail payment service reports, as necessary. CC ID 13545	Investigate	Detective
Assess customer satisfaction. CC ID 00652	Testing	Detective
Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757	Establish/Maintain Documentation	Detective
Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250	Process or Activity	Detective
Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058	Monitor and Evaluate Occurrences	Detective
Monitor for and report when a software configuration is updated. CC ID 06746	Monitor and Evaluate Occurrences	Detective
Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886	Monitor and Evaluate Occurrences	Detective
Monitor for firmware updates absent authorization. CC ID 10675	Monitor and Evaluate Occurrences	Detective
Implement file integrity monitoring. CC ID 01205	Monitor and Evaluate Occurrences	Detective
Identify unauthorized modifications during file integrity monitoring. CC ID 12096	Technical Security	Detective
Monitor for software configurations updates absent authorization. CC ID 10676	Monitor and Evaluate Occurrences	Preventive
Allow expected changes during file integrity monitoring. CC ID 12090	Technical Security	Preventive
Monitor for when documents are being updated absent authorization. CC ID 10677	Monitor and Evaluate Occurrences	Preventive
Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091	Establish/Maintain Documentation	Preventive
Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045	Process or Activity	Preventive
Monitor and evaluate user account activity. CC ID 07066	Monitor and Evaluate Occurrences	Detective
Develop and maintain a usage profile for each user account. CC ID 07067	Technical Security	Preventive
Log account usage to determine dormant accounts. CC ID 12118	Log Management	Detective
Log account usage times. CC ID 07099	Log Management	Detective
Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068	Monitor and Evaluate Occurrences	Detective
Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069	Monitor and Evaluate Occurrences	Detective
Log account usage durations. CC ID 12117	Monitor and Evaluate Occurrences	Detective
Notify the appropriate personnel after identifying dormant accounts. CC ID 12125	Communicate	Detective
Log Internet Protocol addresses used during logon. CC ID 07100	Log Management	Detective
Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070	Monitor and Evaluate Occurrences	Detective
Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243	Communicate	Detective
Establish, implement, and maintain a testing program. CC ID 00654	Behavior	Preventive
Establish, implement, and maintain a vulnerability management program. CC ID 15721	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636	Establish/Maintain Documentation	Preventive
Perform vulnerability scans, as necessary. CC ID 11637	Technical Security	Detective
Identify and document security vulnerabilities. CC ID 11857 [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. A.12.6.1 Control]	Technical Security	Detective
Rank discovered vulnerabilities. CC ID 11940	Investigate	Detective
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [The organization shall determine: when the monitoring and measuring shall be performed; § 9.1 ¶ 2 c) The organization shall determine: what needs to be monitored and measured, including information security processes and controls; § 9.1 ¶ 2 a)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain risk management metrics. CC ID 01656	Establish/Maintain Documentation	Preventive
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657	Actionable Reports or Measurements	Detective
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658	Actionable Reports or Measurements	Detective
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659	Actionable Reports or Measurements	Detective
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571	Actionable Reports or Measurements	Detective
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866	Business Processes	Preventive
Identify information being used to support performance reviews for risk optimization. CC ID 12865	Audits and Risk Management	Preventive
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726	Monitor and Evaluate Occurrences	Detective
Identify and document instances of non-compliance with the compliance framework. CC ID 06499	Establish/Maintain Documentation	Preventive
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063	Business Processes	Detective
Determine the causes of compliance violations. CC ID 12401	Investigate	Corrective
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935	Establish/Maintain Documentation	Preventive
Determine if multiple compliance violations of the same type could occur. CC ID 12402	Investigate	Detective
Correct compliance violations. CC ID 13515	Process or Activity	Corrective
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403	Investigate	Detective
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675	Behavior	Corrective
Align disciplinary actions with the level of compliance violation. CC ID 12404 [Corrective actions shall be appropriate to the effects of the nonconformities s="term_secondary-verb">encountered. § 10.1 ¶ 2]	Human Resources Management	Preventive
Establish, implement, and maintain compliance program metrics. CC ID 11625	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a security program metrics program. CC ID 01660	Establish/Maintain Documentation	Preventive
Report on the policies and controls that have been implemented by management. CC ID 01670	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631	Establish/Maintain Documentation	Preventive
Report on the percentage of security management roles that have been assigned. CC ID 01671	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661	Establish/Maintain Documentation	Preventive
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662	Establish/Maintain Documentation	Preventive
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675	Actionable Reports or Measurements	Detective
Report on the Service Level Agreement performance of supply chain members. CC ID 06838	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663	Establish/Maintain Documentation	Preventive
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676	Actionable Reports or Measurements	Detective
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057	Actionable Reports or Measurements	Detective
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an audit metrics program. CC ID 01664	Establish/Maintain Documentation	Preventive
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677	Actionable Reports or Measurements	Detective
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069	Actionable Reports or Measurements	Detective
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632	Actionable Reports or Measurements	Detective
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070	Actionable Reports or Measurements	Detective
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678	Actionable Reports or Measurements	Detective
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 [The information security objectives shall: be measurable (if practicable); § 6.2 ¶ 2 b)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics standard and template. CC ID 02157	Establish/Maintain Documentation	Preventive
Convert data into standard units before reporting metrics. CC ID 15507	Process or Activity	Corrective
Monitor compliance with the Quality Control system. CC ID 01023	Actionable Reports or Measurements	Preventive
Report on the percentage of complaints received about products or delivered services. CC ID 07199	Actionable Reports or Measurements	Preventive
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666	Establish/Maintain Documentation	Preventive
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679	Actionable Reports or Measurements	Detective
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680	Actionable Reports or Measurements	Detective
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681	Actionable Reports or Measurements	Detective
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667	Establish/Maintain Documentation	Preventive
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685	Actionable Reports or Measurements	Detective
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686	Actionable Reports or Measurements	Detective
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687	Actionable Reports or Measurements	Detective
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688	Actionable Reports or Measurements	Detective
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691	Actionable Reports or Measurements	Detective
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668	Establish/Maintain Documentation	Preventive
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683	Actionable Reports or Measurements	Detective
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684	Actionable Reports or Measurements	Detective
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689	Actionable Reports or Measurements	Detective
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690	Actionable Reports or Measurements	Detective
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694	Establish/Maintain Documentation	Preventive
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040	Actionable Reports or Measurements	Detective
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041	Actionable Reports or Measurements	Detective
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042	Actionable Reports or Measurements	Detective
Report on the percentage of systems with approved System Security Plans. CC ID 02145	Actionable Reports or Measurements	Detective
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043	Establish/Maintain Documentation	Preventive
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044	Actionable Reports or Measurements	Detective
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045	Actionable Reports or Measurements	Detective
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048	Actionable Reports or Measurements	Detective
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049	Actionable Reports or Measurements	Detective
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052	Business Processes	Preventive
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053	Actionable Reports or Measurements	Detective
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054	Actionable Reports or Measurements	Detective
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059	Business Processes	Preventive
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060	Actionable Reports or Measurements	Detective
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061	Actionable Reports or Measurements	Detective
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062	Actionable Reports or Measurements	Detective
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142	Actionable Reports or Measurements	Detective
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a physical environment metrics program. CC ID 02063	Business Processes	Preventive
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064	Actionable Reports or Measurements	Detective
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065	Actionable Reports or Measurements	Detective
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066	Actionable Reports or Measurements	Detective
Report on the percentage of servers located in controlled access areas. CC ID 02067	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a privacy metrics program. CC ID 15494	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain waste management metrics. CC ID 16152	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain emissions management metrics. CC ID 16145	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073	Business Processes	Preventive
Report on the percentage of unique active user identifiers. CC ID 02074	Actionable Reports or Measurements	Detective
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086	Actionable Reports or Measurements	Detective
Report on the percentage of active user passwords that are set to expire. CC ID 02087	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a user account management metrics program. CC ID 02075	Business Processes	Preventive
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089	Actionable Reports or Measurements	Detective
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090	Actionable Reports or Measurements	Detective
Report on the percentage of systems with account lockout thresholds set. CC ID 02091	Actionable Reports or Measurements	Detective
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092	Actionable Reports or Measurements	Detective
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093	Actionable Reports or Measurements	Detective
Report on the percentage of users with access to shared accounts. CC ID 04573	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076	Actionable Reports or Measurements	Preventive
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094	Actionable Reports or Measurements	Detective
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095	Actionable Reports or Measurements	Detective
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077	Business Processes	Preventive
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097	Actionable Reports or Measurements	Detective
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098	Actionable Reports or Measurements	Detective
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099	Actionable Reports or Measurements	Detective
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100	Actionable Reports or Measurements	Detective
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101	Actionable Reports or Measurements	Detective
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078	Log Management	Preventive
Report on the percentage of systems for which event logging has been implemented. CC ID 02102	Log Management	Detective
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103	Log Management	Detective
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104	Log Management	Detective
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079	Business Processes	Preventive
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106	Actionable Reports or Measurements	Detective
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107	Actionable Reports or Measurements	Detective
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108	Actionable Reports or Measurements	Detective
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080	Business Processes	Preventive
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110	Actionable Reports or Measurements	Detective
Report on the percentage of servers that employ automated system security tools. CC ID 02111	Actionable Reports or Measurements	Detective
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a software change management metrics program. CC ID 02081	Business Processes	Preventive
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152	Actionable Reports or Measurements	Detective
Report on the percentage of systems with all approved patches installed. CC ID 02113	Actionable Reports or Measurements	Detective
Report on the mean time from patch availability to patch installation. CC ID 02114	Actionable Reports or Measurements	Detective
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082	Business Processes	Preventive
Establish, implement, and maintain a network activity baseline. CC ID 13188	Technical Security	Detective
Report on the percentage of systems configured according to the configuration standard. CC ID 02116	Actionable Reports or Measurements	Detective
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083	Business Processes	Preventive
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117	Actionable Reports or Measurements	Detective
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118	Actionable Reports or Measurements	Detective
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119	Actionable Reports or Measurements	Detective
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084	Business Processes	Preventive
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121	Actionable Reports or Measurements	Detective
Report on the percentage of backup media stored off site in secure storage. CC ID 02122	Actionable Reports or Measurements	Detective
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085	Business Processes	Preventive
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673	Actionable Reports or Measurements	Detective
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125	Actionable Reports or Measurements	Detective
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127	Actionable Reports or Measurements	Detective
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128	Actionable Reports or Measurements	Detective
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129	Actionable Reports or Measurements	Detective
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140	Actionable Reports or Measurements	Detective
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564	Actionable Reports or Measurements	Detective
Delay the reporting of incident management metrics, as necessary. CC ID 15501	Communicate	Preventive
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221	Establish/Maintain Documentation	Preventive
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223	Actionable Reports or Measurements	Preventive
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229	Actionable Reports or Measurements	Preventive
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230	Actionable Reports or Measurements	Preventive
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231	Actionable Reports or Measurements	Preventive
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232	Actionable Reports or Measurements	Preventive
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235	Actionable Reports or Measurements	Preventive
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236	Actionable Reports or Measurements	Preventive
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237	Actionable Reports or Measurements	Preventive
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238	Actionable Reports or Measurements	Preventive
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a log management program. CC ID 00673	Establish/Maintain Documentation	Preventive
Deploy log normalization tools, as necessary. CC ID 12141	Technical Security	Preventive
Restrict access to logs to authorized individuals. CC ID 01342	Log Management	Preventive
Restrict access to audit trails to a need to know basis. CC ID 11641	Technical Security	Preventive
Refrain from recording unnecessary restricted data in logs. CC ID 06318	Log Management	Preventive
Back up audit trails according to backup procedures. CC ID 11642	Systems Continuity	Preventive
Back up logs according to backup procedures. CC ID 01344	Log Management	Preventive
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346	Log Management	Preventive
Identify hosts with logs that are not being stored. CC ID 06314	Log Management	Preventive
Identify hosts with logs that are being stored at the system level only. CC ID 06315	Log Management	Preventive
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316	Log Management	Preventive
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317	Log Management	Preventive
Protect logs from unauthorized activity. CC ID 01345 [Logging facilities and log information shall be protected against tampering and unauthorized access. A.12.4.2 Control System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. A.12.4.3 Control]	Log Management	Preventive
Perform testing and validating activities on all logs. CC ID 06322	Log Management	Preventive
Archive the audit trail in accordance with compliance requirements. CC ID 00674	Log Management	Preventive
Enforce dual authorization as a part of information flow control for logs. CC ID 10098	Configuration	Preventive
Preserve the identity of individuals in audit trails. CC ID 10594	Log Management	Preventive
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595	Establish/Maintain Documentation	Preventive
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596	Audits and Risk Management	Preventive

Operational and Systems Continuity

100

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational and Systems Continuity CC ID 00731	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a business continuity program. CC ID 13210	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a continuity framework. CC ID 00732	Establish/Maintain Documentation	Preventive
Establish and maintain the scope of the continuity framework. CC ID 11908 [{scope} The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. A.17.1.1 Control]	Establish/Maintain Documentation	Preventive
Identify all stakeholders critical to the continuity of operations. CC ID 12741	Systems Continuity	Detective
Include network security in the scope of the continuity framework. CC ID 16327	Establish/Maintain Documentation	Preventive
Explain any exclusions to the scope of the continuity framework. CC ID 12236	Establish/Maintain Documentation	Preventive
Refrain from including exclusions that could affect business continuity. CC ID 12740	Records Management	Preventive
Include the organization's business products and services in the scope of the continuity framework. CC ID 12235	Establish/Maintain Documentation	Preventive
Include business units in the scope of the continuity framework. CC ID 11898	Establish/Maintain Documentation	Preventive
Include business functions in the scope of the continuity framework. CC ID 12699	Establish/Maintain Documentation	Preventive
Include information security continuity in the scope of the continuity framework. CC ID 12009	Systems Continuity	Preventive
Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698	Systems Continuity	Preventive
Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752 [The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. A.17.1.2 Control]	Establish/Maintain Documentation	Preventive
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373	Systems Continuity	Corrective
Identify all stakeholders in the continuity plan. CC ID 13256	Establish/Maintain Documentation	Preventive
Report changes in the continuity plan to senior management. CC ID 12757	Communicate	Corrective
Maintain normal security levels when an emergency occurs. CC ID 06377	Systems Continuity	Preventive
Execute fail-safe procedures when an emergency occurs. CC ID 07108	Systems Continuity	Preventive
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Human Resources Management	Preventive
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Establish/Maintain Documentation	Preventive
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993	Establish/Maintain Documentation	Preventive
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Human Resources Management	Preventive
Include the in scope system's location in the continuity plan. CC ID 16246	Systems Continuity	Preventive
Include the system description in the continuity plan. CC ID 16241	Systems Continuity	Preventive
Establish, implement, and maintain redundant systems. CC ID 16354	Configuration	Preventive
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Behavior	Preventive
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Establish/Maintain Documentation	Preventive
Include the continuity strategy in the continuity plan. CC ID 13189	Establish/Maintain Documentation	Preventive
Restore systems and environments to be operational. CC ID 13476	Systems Continuity	Corrective
Document and use the lessons learned to update the continuity plan. CC ID 10037	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254	Establish/Maintain Documentation	Preventive
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605	Technical Security	Preventive
Monitor and evaluate business continuity management system performance. CC ID 12410	Monitor and Evaluate Occurrences	Detective
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Process or Activity	Preventive
Record business continuity management system performance for posterity. CC ID 12411	Monitor and Evaluate Occurrences	Preventive
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Process or Activity	Preventive
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Establish/Maintain Documentation	Preventive
Include incident management procedures in the continuity plan. CC ID 13244	Establish/Maintain Documentation	Preventive
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Establish/Maintain Documentation	Preventive
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057	Establish/Maintain Documentation	Preventive
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Establish Roles	Preventive
Establish, implement, and maintain the continuity procedures. CC ID 14236	Establish/Maintain Documentation	Corrective
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Communicate	Preventive
Document the uninterrupted power requirements for all in scope systems. CC ID 06707	Establish/Maintain Documentation	Preventive
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725	Configuration	Preventive
Install a generator sized to support the facility. CC ID 06709	Configuration	Preventive
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Acquisition/Sale of Assets or Services	Preventive
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371	Establish/Maintain Documentation	Preventive
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Establish/Maintain Documentation	Preventive
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778	Systems Continuity	Preventive
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the organization's call tree. CC ID 01167	Testing	Detective
Establish, implement, and maintain damage assessment procedures. CC ID 01267	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Communicate	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Establish/Maintain Documentation	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Establish/Maintain Documentation	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Human Resources Management	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Establish/Maintain Documentation	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Establish/Maintain Documentation	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Establish/Maintain Documentation	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Establish/Maintain Documentation	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Establish/Maintain Documentation	Preventive
Determine the cause for the activation of the recovery plan. CC ID 13291	Investigate	Detective
Test the recovery plan, as necessary. CC ID 13290	Testing	Detective
Test the backup information, as necessary. CC ID 13303	Testing	Detective
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Establish/Maintain Documentation	Detective
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Communicate	Preventive
Include restoration procedures in the continuity plan. CC ID 01169	Establish Roles	Preventive
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166	Establish/Maintain Documentation	Preventive
Include the recovery plan in the continuity plan. CC ID 01377	Establish/Maintain Documentation	Preventive
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758	Communicate	Preventive
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Systems Continuity	Preventive
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663	Systems Continuity	Preventive
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664	Systems Continuity	Preventive
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665	Systems Continuity	Corrective
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Establish/Maintain Documentation	Preventive
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. A.12.3.1 Control]	Systems Continuity	Preventive
Determine which data elements to back up. CC ID 13483	Data and Information Management	Detective
Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384	Systems Continuity	Preventive
Establish and maintain off-site electronic media storage facilities. CC ID 00957	Physical and Environmental Protection	Preventive
Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390	Testing	Detective
Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392	Configuration	Preventive
Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393	Establish/Maintain Documentation	Preventive
Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573	Systems Continuity	Detective
Store backup media at an off-site electronic media storage facility. CC ID 01332	Data and Information Management	Preventive
Transport backup media in lockable electronic media storage containers. CC ID 01264	Data and Information Management	Preventive
Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289	Systems Continuity	Preventive
Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257	Data and Information Management	Preventive
Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765	Systems Continuity	Preventive
Establish, implement, and maintain security controls to protect offsite data. CC ID 16259	Data and Information Management	Preventive
Perform backup procedures for in scope systems. CC ID 11692	Process or Activity	Preventive
Test backup media for media integrity and information integrity, as necessary. CC ID 01401 [Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. A.12.3.1 Control]	Testing	Detective
Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375	Testing	Detective
Validate information security continuity controls regularly. CC ID 12008 [The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. A.17.1.3 Control]	Systems Continuity	Preventive

Operational management

514

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a capacity management plan. CC ID 11751	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617 [The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. A.12.1.3 Control]	Business Processes	Preventive
Align critical Information Technology resource availability planning with capacity planning. CC ID 01618	Business Processes	Preventive
LImit any effects of a Denial of Service attack. CC ID 06754 [Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. A.17.2.1 Control]	Technical Security	Preventive
Implement network redundancy, as necessary. CC ID 13048	Systems Continuity	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [The organization's information security management system shall include: documented information determined by the organization as being necessary for the effectiveness of the information security management system. § 7.5.1 ¶ 1 b) {identify and control} Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled. § 7.5.3 ¶ 3 When creating and updating documented information the organization shall ensure appropriate: review and approval for suitability and adequacy § 7.5.2 ¶ 1 c)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955	Behavior	Preventive
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283	Establish/Maintain Documentation	Preventive
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [{establish, implement, maintain} The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. § 7.1 ¶ 1]	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853	Establish/Maintain Documentation	Preventive
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915	Process or Activity	Preventive
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895	Process or Activity	Preventive
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809	Audits and Risk Management	Preventive
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523	Human Resources Management	Preventive
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524	Human Resources Management	Preventive
Establish, implement, and maintain a compliance policy. CC ID 14807	Establish/Maintain Documentation	Preventive
Include the standard of conduct and accountability in the compliance policy. CC ID 14813	Establish/Maintain Documentation	Preventive
Include the scope in the compliance policy. CC ID 14812	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the compliance policy. CC ID 14811	Establish/Maintain Documentation	Preventive
Include a commitment to continual improvement in the compliance policy. CC ID 14810	Establish/Maintain Documentation	Preventive
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809	Communicate	Preventive
Include management commitment in the compliance policy. CC ID 14808	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a governance policy. CC ID 15587	Establish/Maintain Documentation	Preventive
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625	Communicate	Preventive
Include a commitment to continuous improvement in the governance policy. CC ID 15595	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the governance policy. CC ID 15594	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a positive information control environment. CC ID 00813 [Top management shall demonstrate leadership and commitment with respect to the information security management system by: § 5.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the information security management system by: directing and supporting persons to contribute to the effectiveness of the information security management system; § 5.1 ¶ 1 f)]	Business Processes	Preventive
Make compliance and governance decisions in a timely manner. CC ID 06490	Behavior	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820 [The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system. § 10.2 ¶ 1 The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard. § 4.4 ¶ 1]	Establish/Maintain Documentation	Preventive
Define the scope for the internal control framework. CC ID 16325	Business Processes	Preventive
Review the relevance of information supporting internal controls. CC ID 12420	Business Processes	Detective
Measure policy compliance when reviewing the internal control framework. CC ID 06442 [Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. A.18.2.2 Control]	Actionable Reports or Measurements	Corrective
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Establish Roles	Preventive
Assign resources to implement the internal control framework. CC ID 00816 [Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring that the resources needed for the information security management system are available; § 5.1 ¶ 1 c) When planning how to achieve its information security objectives, the organization shall determine: what resources will be required; § 6.2 ¶ 4 g)]	Business Processes	Preventive
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Establish Roles	Preventive
Establish, implement, and maintain a baseline of internal controls. CC ID 12415	Business Processes	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Establish/Maintain Documentation	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Establish/Maintain Documentation	Preventive
Leverage actionable information to support internal controls. CC ID 12414	Business Processes	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 [The management review shall include consideration of opportunities for style="background-color:#F0BBBC;" class="term_primary-noun">continual improvement. § 9.3 ¶ 2 f) Top management shall demonstrate leadership and commitment with respect to the information security management system by: promoting continual improvement; and § 5.1 ¶ 1 g) The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. § 9.3 ¶ 3 The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard. § 4.4 ¶ 1]	Establish/Maintain Documentation	Preventive
Include continuous service account management procedures in the internal control framework. CC ID 13860	Establish/Maintain Documentation	Preventive
Include threat assessment in the internal control framework. CC ID 01347	Establish/Maintain Documentation	Preventive
Automate threat assessments, as necessary. CC ID 06877	Configuration	Preventive
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Establish/Maintain Documentation	Preventive
Automate vulnerability management, as necessary. CC ID 11730	Configuration	Preventive
Include personnel security procedures in the internal control framework. CC ID 01349	Establish/Maintain Documentation	Preventive
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Establish/Maintain Documentation	Preventive
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Establish/Maintain Documentation	Preventive
Include security information sharing procedures in the internal control framework. CC ID 06489	Establish/Maintain Documentation	Preventive
Share relevant security information with Special Interest Groups, as necessary. CC ID 11732 [Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. A.6.1.4 Control]	Communicate	Preventive
Evaluate information sharing partners, as necessary. CC ID 12749	Process or Activity	Preventive
Include security incident response procedures in the internal control framework. CC ID 01359 [{management procedures} Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. A.16.1.1 Control]	Establish/Maintain Documentation	Preventive
Include incident response escalation procedures in the internal control framework. CC ID 11745	Establish/Maintain Documentation	Preventive
Include continuous user account management procedures in the internal control framework. CC ID 01360	Establish/Maintain Documentation	Preventive
Include emergency response procedures in the internal control framework. CC ID 06779	Establish/Maintain Documentation	Detective
Authorize and document all exceptions to the internal control framework. CC ID 06781	Establish/Maintain Documentation	Preventive
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Communicate	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Establish/Maintain Documentation	Preventive
Include physical safeguards in the information security program. CC ID 12375	Establish/Maintain Documentation	Preventive
Include technical safeguards in the information security program. CC ID 12374	Establish/Maintain Documentation	Preventive
Include administrative safeguards in the information security program. CC ID 12373	Establish/Maintain Documentation	Preventive
Include system development in the information security program. CC ID 12389	Establish/Maintain Documentation	Preventive
Include system maintenance in the information security program. CC ID 12388	Establish/Maintain Documentation	Preventive
Include system acquisition in the information security program. CC ID 12387	Establish/Maintain Documentation	Preventive
Include access control in the information security program. CC ID 12386	Establish/Maintain Documentation	Preventive
Review and approve access controls, as necessary. CC ID 13074	Process or Activity	Detective
Include operations management in the information security program. CC ID 12385	Establish/Maintain Documentation	Preventive
Include communication management in the information security program. CC ID 12384	Establish/Maintain Documentation	Preventive
Include environmental security in the information security program. CC ID 12383	Establish/Maintain Documentation	Preventive
Include physical security in the information security program. CC ID 12382	Establish/Maintain Documentation	Preventive
Include human resources security in the information security program. CC ID 12381	Establish/Maintain Documentation	Preventive
Include asset management in the information security program. CC ID 12380	Establish/Maintain Documentation	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Establish/Maintain Documentation	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Establish/Maintain Documentation	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Establish/Maintain Documentation	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Establish/Maintain Documentation	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Establish/Maintain Documentation	Preventive
Include how the information security department is organized in the information security program. CC ID 12379	Establish/Maintain Documentation	Preventive
Include risk management in the information security program. CC ID 12378	Establish/Maintain Documentation	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Establish/Maintain Documentation	Preventive
Provide management direction and support for the information security program. CC ID 11999	Process or Activity	Preventive
Monitor and review the effectiveness of the information security program. CC ID 12744 [The organization shall evaluate the information security performance and the effectiveness of the information security management system. § 9.1 ¶ 1]	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. A.5.1.2 Control Top management shall establish an information security policy that: § 5.2 ¶ 1 Top management shall establish an information security policy that: is appropriate to the purpose of the organization; § 5.2 ¶ 1 a) Top management shall establish an information security policy that: includes a commitment to continual improvement of the information security management system. § 5.2 ¶ 1 d) The information security policy shall: be available as documented information; § 5.2 ¶ 2 e) The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. § 8.1 ¶ 1 Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1 a) A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. A.5.1.1 Control]	Establish/Maintain Documentation	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Business Processes	Preventive
Include business processes in the information security policy. CC ID 16326	Establish/Maintain Documentation	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Establish/Maintain Documentation	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Establish/Maintain Documentation	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496 [Top management shall establish an information security policy that: includes a commitment to satisfy applicable requirements related to information security; and § 5.2 ¶ 1 c)]	Establish/Maintain Documentation	Preventive
Include information security objectives in the information security policy. CC ID 13493 [Top management shall establish an information security policy that: includes information security objectives (see 6.2) or provides the framework for setting information security objectives; § 5.2 ¶ 1 b)]	Establish/Maintain Documentation	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Business Processes	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Communicate	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702	Process or Activity	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737 [A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. A.5.1.1 Control]	Process or Activity	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Establish/Maintain Documentation	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Establish/Maintain Documentation	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814	Establish Roles	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 [Top management shall assign the responsibility and authority for: ensuring that the information security management system conforms to the requirements of this International Standard; and § 5.3 ¶ 2 a)]	Human Resources Management	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [{information security roles and responsibilities} Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. § 5.3 ¶ 1 When planning how to achieve its information security objectives, the organization shall determine: who will be responsible; § 6.2 ¶ 4 h) All information security responsibilities shall be defined and allocated. A.6.1.1 Control]	Establish/Maintain Documentation	Preventive
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Human Resources Management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. A.5.1.1 Control Top management shall demonstrate leadership and commitment with respect to the information security management system by: communicating the importance of effective information security management and of conforming to the information security management system requirements; § 5.1 ¶ 1 d) The information security policy shall: be communicated within the organization; and § 5.2 ¶ 2 f) The information security policy shall: be available to interested parties, as appropriate. § 5.2 ¶ 2 g) Persons doing work under the organization's control shall be aware of: the information security policy; § 7.3 ¶ 1 a)]	Communicate	Preventive
Establish, implement, and maintain a social media governance program. CC ID 06536	Establish/Maintain Documentation	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Business Processes	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Business Processes	Preventive
Refrain from accepting instant messages from unknown senders. CC ID 12537	Behavior	Preventive
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Establish/Maintain Documentation	Preventive
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Establish/Maintain Documentation	Preventive
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Establish/Maintain Documentation	Preventive
Perform social network analysis, as necessary. CC ID 14864	Investigate	Detective
Establish, implement, and maintain operational control procedures. CC ID 00831	Establish/Maintain Documentation	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Establish/Maintain Documentation	Preventive
Include startup processes in operational control procedures. CC ID 00833	Establish/Maintain Documentation	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [Operating procedures shall be documented and made available to all users who need them. A.12.1.1 Control]	Establish/Maintain Documentation	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Process or Activity	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Establish/Maintain Documentation	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Establish/Maintain Documentation	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Establish/Maintain Documentation	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Establish/Maintain Documentation	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Establish/Maintain Documentation	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Establish/Maintain Documentation	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Establish/Maintain Documentation	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Establish/Maintain Documentation	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Establish/Maintain Documentation	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Establish/Maintain Documentation	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Establish/Maintain Documentation	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Establish/Maintain Documentation	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Records Management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Business Processes	Preventive
Provide support for information sharing activities. CC ID 15644	Process or Activity	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Business Processes	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Establish/Maintain Documentation	Corrective
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 [Operating procedures shall be documented and made available to all users who need them. A.12.1.1 Control]	Communicate	Preventive
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Establish/Maintain Documentation	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. A.8.1.3 Control]	Establish/Maintain Documentation	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Establish/Maintain Documentation	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Establish/Maintain Documentation	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Establish/Maintain Documentation	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Establish/Maintain Documentation	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Establish/Maintain Documentation	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Establish/Maintain Documentation	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy CC ID 15699	Establish/Maintain Documentation	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355 [Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. A.8.1.3 Control]	Establish/Maintain Documentation	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Establish/Maintain Documentation	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Establish/Maintain Documentation	Preventive
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Technical Security	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Establish/Maintain Documentation	Preventive
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Data and Information Management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Establish/Maintain Documentation	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Establish/Maintain Documentation	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Establish/Maintain Documentation	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Establish/Maintain Documentation	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Establish/Maintain Documentation	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Establish/Maintain Documentation	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 [Procedures shall be implemented to control the installation of software on operational systems. A.12.5.1 Control Rules governing the installation of software by users shall be established and implemented. A.12.6.2 Control]	Establish/Maintain Documentation	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Communicate	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Business Processes	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. A.18.1.2 Control]	Establish/Maintain Documentation	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an e-mail policy. CC ID 06439	Establish/Maintain Documentation	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Establish/Maintain Documentation	Preventive
Identify the sender in all electronic messages. CC ID 13996	Data and Information Management	Preventive
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [{confidentiality agreement} Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented. A.13.2.4 Control]	Establish/Maintain Documentation	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Communicate	Preventive
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a use of information agreement. CC ID 06215	Establish/Maintain Documentation	Preventive
Include use limitations in the use of information agreement. CC ID 06244	Establish/Maintain Documentation	Preventive
Include disclosure requirements in the use of information agreement. CC ID 11735	Establish/Maintain Documentation	Preventive
Include information recipients in the use of information agreement. CC ID 06245	Establish/Maintain Documentation	Preventive
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Establish/Maintain Documentation	Preventive
Include disclosure of information in the use of information agreement. CC ID 11830	Establish/Maintain Documentation	Preventive
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130	Establish/Maintain Documentation	Preventive
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Establish/Maintain Documentation	Preventive
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131	Establish/Maintain Documentation	Preventive
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Business Processes	Preventive
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Process or Activity	Preventive
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Process or Activity	Preventive
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Process or Activity	Preventive
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Process or Activity	Preventive
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Process or Activity	Preventive
Analyze the organizational culture. CC ID 12899	Process or Activity	Preventive
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Process or Activity	Detective
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Process or Activity	Detective
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Process or Activity	Detective
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Behavior	Preventive
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Business Processes	Preventive
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Business Processes	Preventive
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Business Processes	Preventive
Include skill development in the analysis of the organizational culture. CC ID 12913	Behavior	Preventive
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Behavior	Preventive
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Business Processes	Preventive
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Behavior	Preventive
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Behavior	Preventive
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: deal with the consequences; § 10.1 ¶ 1 a) 2)]	Process or Activity	Corrective
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Top management shall demonstrate leadership and commitment with respect to the information security management system by: communicating the importance of effective information security management and of conforming to the information security management system requirements; § 5.1 ¶ 1 d)]	Establish/Maintain Documentation	Preventive
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Communicate	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004 [{information security standard} Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards. A.18.2.3 Control]	Business Processes	Preventive
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 c)]	Behavior	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630 [Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. A.8.2.3 Control]	Business Processes	Preventive
Establish, implement, and maintain an asset management policy. CC ID 15219	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the asset management policy. CC ID 16424	Business Processes	Preventive
Assign an information owner to organizational assets, as necessary. CC ID 12729	Human Resources Management	Preventive
Include life cycle requirements in the security management program. CC ID 16392	Establish/Maintain Documentation	Preventive
Include life cycle requirements in the security management program. CC ID 16391	Establish/Maintain Documentation	Preventive
Include program objectives in the asset management program. CC ID 14413	Establish/Maintain Documentation	Preventive
Include a commitment to continual improvement in the asset management program. CC ID 14412	Establish/Maintain Documentation	Preventive
Include compliance with applicable requirements in the asset management program. CC ID 14411	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain administrative controls over all assets. CC ID 16400	Business Processes	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Establish/Maintain Documentation	Preventive
Apply security controls to each level of the information classification standard. CC ID 01903	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904	Establish/Maintain Documentation	Preventive
Define confidentiality controls. CC ID 01908	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the systems' availability level. CC ID 01905	Establish/Maintain Documentation	Preventive
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742	Process or Activity	Preventive
Define integrity controls. CC ID 01909	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906	Establish/Maintain Documentation	Preventive
Define availability controls. CC ID 01911	Establish/Maintain Documentation	Preventive
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851	Communicate	Preventive
Classify assets according to the Asset Classification Policy. CC ID 07186	Establish Roles	Preventive
Classify virtual systems by type and purpose. CC ID 16332	Business Processes	Preventive
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185	Establish/Maintain Documentation	Preventive
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184	Establish Roles	Preventive
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606	Configuration	Preventive
Assign decomposed system components the same asset classification as the originating system. CC ID 06605	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an asset inventory. CC ID 06631	Business Processes	Preventive
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. A.8.1.1 Control]	Establish/Maintain Documentation	Preventive
Include all account types in the Information Technology inventory. CC ID 13311	Establish/Maintain Documentation	Preventive
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Systems Design, Build, and Implementation	Preventive
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Data and Information Management	Preventive
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Establish/Maintain Documentation	Preventive
Categorize all major applications according to the business information they process. CC ID 07182	Establish/Maintain Documentation	Preventive
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Establish/Maintain Documentation	Preventive
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Establish/Maintain Documentation	Preventive
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Establish/Maintain Documentation	Preventive
Conduct environmental surveys. CC ID 00690	Physical and Environmental Protection	Preventive
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Establish/Maintain Documentation	Preventive
Include network equipment in the Information Technology inventory. CC ID 00693	Establish/Maintain Documentation	Preventive
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Establish/Maintain Documentation	Preventive
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Process or Activity	Preventive
Include software in the Information Technology inventory. CC ID 00692	Establish/Maintain Documentation	Preventive
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a storage media inventory. CC ID 00694	Establish/Maintain Documentation	Preventive
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Establish/Maintain Documentation	Preventive
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Establish/Maintain Documentation	Preventive
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Monitor and Evaluate Occurrences	Corrective
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Monitor and Evaluate Occurrences	Corrective
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181	Establish/Maintain Documentation	Preventive
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Technical Security	Preventive
Link the authentication system to the asset inventory. CC ID 13718	Technical Security	Preventive
Record a unique name for each asset in the asset inventory. CC ID 16305	Data and Information Management	Preventive
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Establish/Maintain Documentation	Preventive
Record the status of information systems in the asset inventory. CC ID 16304	Data and Information Management	Preventive
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Data and Information Management	Preventive
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Establish/Maintain Documentation	Preventive
Include source code in the asset inventory. CC ID 14858	Records Management	Preventive
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344	Human Resources Management	Preventive
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Technical Security	Detective
Record the review date for applicable assets in the asset inventory. CC ID 14919	Establish/Maintain Documentation	Preventive
Record software license information for each asset in the asset inventory. CC ID 11736	Data and Information Management	Preventive
Record services for applicable assets in the asset inventory. CC ID 13733	Establish/Maintain Documentation	Preventive
Record protocols for applicable assets in the asset inventory. CC ID 13734	Establish/Maintain Documentation	Preventive
Record the software version in the asset inventory. CC ID 12196	Establish/Maintain Documentation	Preventive
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Establish/Maintain Documentation	Preventive
Record the authentication system in the asset inventory. CC ID 13724	Establish/Maintain Documentation	Preventive
Tag unsupported assets in the asset inventory. CC ID 13723	Establish/Maintain Documentation	Preventive
Record the install date for applicable assets in the asset inventory. CC ID 13720	Establish/Maintain Documentation	Preventive
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Establish/Maintain Documentation	Preventive
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Establish/Maintain Documentation	Preventive
Record the host name of applicable assets in the asset inventory. CC ID 13722	Establish/Maintain Documentation	Preventive
Record network ports for applicable assets in the asset inventory. CC ID 13730	Establish/Maintain Documentation	Preventive
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Establish/Maintain Documentation	Preventive
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Data and Information Management	Preventive
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Establish/Maintain Documentation	Preventive
Record rooms at external locations in the asset inventory. CC ID 16302	Data and Information Management	Preventive
Record the department associated with the asset in the asset inventory. CC ID 12084	Establish/Maintain Documentation	Preventive
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Establish/Maintain Documentation	Preventive
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Establish/Maintain Documentation	Preventive
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Establish/Maintain Documentation	Preventive
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Establish/Maintain Documentation	Preventive
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Establish/Maintain Documentation	Preventive
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Establish/Maintain Documentation	Preventive
Record trusted keys and certificates in the asset inventory. CC ID 15486	Data and Information Management	Preventive
Record cipher suites and protocols in the asset inventory. CC ID 15489	Data and Information Management	Preventive
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Establish/Maintain Documentation	Preventive
Record the owner for applicable assets in the asset inventory. CC ID 06640 [Assets maintained in the inventory shall be owned. A.8.1.2 Control]	Establish/Maintain Documentation	Preventive
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Establish/Maintain Documentation	Preventive
Record all changes to assets in the asset inventory. CC ID 12190	Establish/Maintain Documentation	Preventive
Record cloud service derived data in the asset inventory. CC ID 13007	Establish/Maintain Documentation	Preventive
Include cloud service customer data in the asset inventory. CC ID 13006	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a software accountability policy. CC ID 00868	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software asset management procedures. CC ID 00895	Establish/Maintain Documentation	Preventive
Prevent users from disabling required software. CC ID 16417	Technical Security	Preventive
Establish, implement, and maintain software archives procedures. CC ID 00866	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software distribution procedures. CC ID 00894	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software documentation management procedures. CC ID 06395	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software license management procedures. CC ID 06639 [Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. A.18.1.2 Control]	Establish/Maintain Documentation	Preventive
Automate software license monitoring, as necessary. CC ID 07057	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a system redeployment program. CC ID 06276	Establish/Maintain Documentation	Preventive
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339	Testing	Detective
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400	Behavior	Preventive
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401	Data and Information Management	Preventive
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698	Acquisition/Sale of Assets or Services	Preventive
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937	Establish/Maintain Documentation	Preventive
Redeploy systems to other organizational units, as necessary. CC ID 11452	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system disposal program. CC ID 14431	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain disposal procedures. CC ID 16513	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain asset sanitization procedures. CC ID 16511	Establish/Maintain Documentation	Preventive
Destroy systems in accordance with the system disposal program. CC ID 16457	Business Processes	Preventive
Approve the release of systems and waste material into the public domain. CC ID 16461	Business Processes	Preventive
Establish, implement, and maintain system destruction procedures. CC ID 16474	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [Equipment shall be correctly maintained to ensure its continued availability and integrity. A.11.2.4 Control]	Establish/Maintain Documentation	Preventive
Establish and maintain maintenance reports. CC ID 11749	Establish/Maintain Documentation	Preventive
Establish and maintain system inspection reports. CC ID 06346	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system maintenance policy. CC ID 14032	Establish/Maintain Documentation	Preventive
Include compliance requirements in the system maintenance policy. CC ID 14217	Establish/Maintain Documentation	Preventive
Include management commitment in the system maintenance policy. CC ID 14216	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the system maintenance policy. CC ID 14215	Establish/Maintain Documentation	Preventive
Include the scope in the system maintenance policy. CC ID 14214	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213	Communicate	Preventive
Include the purpose in the system maintenance policy. CC ID 14187	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the system maintenance policy. CC ID 14181	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain system maintenance procedures. CC ID 14059	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194	Communicate	Preventive
Establish, implement, and maintain a technology refresh plan. CC ID 13061	Establish/Maintain Documentation	Preventive
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389	Physical and Environmental Protection	Preventive
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388	Behavior	Preventive
Use system components only when third party support is available. CC ID 10644	Maintenance	Preventive
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645	Maintenance	Preventive
Control and monitor all maintenance tools. CC ID 01432	Physical and Environmental Protection	Detective
Obtain approval before removing maintenance tools from the facility. CC ID 14298	Business Processes	Preventive
Control remote maintenance according to the system's asset classification. CC ID 01433	Technical Security	Preventive
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614	Configuration	Preventive
Approve all remote maintenance sessions. CC ID 10615	Technical Security	Preventive
Log the performance of all remote maintenance. CC ID 13202	Log Management	Preventive
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083	Technical Security	Preventive
Conduct offsite maintenance in authorized facilities. CC ID 16473	Maintenance	Preventive
Conduct maintenance with authorized personnel. CC ID 01434	Testing	Detective
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295	Maintenance	Preventive
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291	Maintenance	Preventive
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878	Behavior	Preventive
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202	Establish/Maintain Documentation	Preventive
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833	Acquisition/Sale of Assets or Services	Preventive
Perform periodic maintenance according to organizational standards. CC ID 01435	Behavior	Preventive
Restart systems on a periodic basis. CC ID 16498	Maintenance	Preventive
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Maintenance	Preventive
Employ dedicated systems during system maintenance. CC ID 12108	Technical Security	Preventive
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114	Technical Security	Preventive
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Human Resources Management	Preventive
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874	Physical and Environmental Protection	Preventive
Calibrate assets according to the calibration procedures for the asset. CC ID 06203	Testing	Detective
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204	Establish/Maintain Documentation	Preventive
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616	Process or Activity	Preventive
Refrain from protecting physical assets when no longer required. CC ID 13484	Physical and Environmental Protection	Corrective
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280	Business Processes	Preventive
Dispose of hardware and software at their life cycle end. CC ID 06278	Business Processes	Preventive
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200	Business Processes	Preventive
Establish, implement, and maintain disposal contracts. CC ID 12199	Establish/Maintain Documentation	Preventive
Include disposal procedures in disposal contracts. CC ID 13905	Establish/Maintain Documentation	Preventive
Remove asset tags prior to disposal of an asset. CC ID 12198	Business Processes	Preventive
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936	Establish/Maintain Documentation	Preventive
Test for detrimental environmental factors after a system is disposed. CC ID 06938	Testing	Detective
Review each system's operational readiness. CC ID 06275 [Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1]	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a data stewardship policy. CC ID 06657	Establish/Maintain Documentation	Preventive
Establish and maintain an unauthorized software list. CC ID 10601	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Business Processes	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Establish/Maintain Documentation	Preventive
Categorize the incident following an incident response. CC ID 13208	Technical Security	Preventive
Determine the incident severity level when assessing the security incidents. CC ID 01650 [Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. A.16.1.4 Control]	Monitor and Evaluate Occurrences	Corrective
Identify root causes of incidents that force system changes. CC ID 13482 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: determining the causes of the nonconformity; and § 10.1 ¶ 1 b) 2)]	Investigate	Detective
Respond to and triage when an incident is detected. CC ID 06942 [When a nonconformity occurs, the organization shall: implement any action needed; § 10.1 ¶ 1 c)]	Monitor and Evaluate Occurrences	Detective
Document the incident and any relevant evidence in the incident report. CC ID 08659	Establish/Maintain Documentation	Detective
Escalate incidents, as necessary. CC ID 14861	Monitor and Evaluate Occurrences	Corrective
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Process or Activity	Corrective
Respond to all alerts from security systems in a timely manner. CC ID 06434 [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to control and correct it; and § 10.1 ¶ 1 a) 1)]	Behavior	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Process or Activity	Corrective
Assess all incidents to determine what information was accessed. CC ID 01226 [Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. A.16.1.4 Control]	Testing	Corrective
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Monitor and Evaluate Occurrences	Corrective
Analyze the incident response process following an incident response. CC ID 13179 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: § 10.1 ¶ 1 b)]	Investigate	Detective
Remediate security violations according to organizational standards. CC ID 12338 [When a nonconformity occurs, the organization shall: make changes to the information security management system, if necessary § 10.1 ¶ 1 e)]	Business Processes	Preventive
Analyze security violations in Suspicious Activity Reports. CC ID 00591 [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: determining if similar nonconformities exist, or could potentially occur; § 10.1 ¶ 1 b) 3) When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: reviewing the nonconformity; § 10.1 ¶ 1 b) 1)]	Establish/Maintain Documentation	Preventive
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 [{information security incidents} Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. A.16.1.6 Control]	Monitor and Evaluate Occurrences	Preventive
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Investigate	Preventive
Update the incident response procedures using the lessons learned. CC ID 01233	Establish/Maintain Documentation	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Information security events shall be reported through appropriate management channels as quickly as possible. A.16.1.2 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Communicate	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Establish/Maintain Documentation	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Establish/Maintain Documentation	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{management procedures} Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. A.16.1.1 Control]	Establish Roles	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Establish Roles	Preventive
Open a priority incident request after a security breach is detected. CC ID 04838	Testing	Corrective
Activate the incident response notification procedures after a security breach is detected. CC ID 04839	Testing	Corrective
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788	Communicate	Corrective
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878	Establish Roles	Preventive
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879	Establish Roles	Preventive
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880	Establish Roles	Preventive
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881	Establish Roles	Preventive
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882	Establish Roles	Preventive
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883	Establish Roles	Preventive
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884	Establish Roles	Preventive
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885	Establish Roles	Preventive
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886	Establish Roles	Preventive
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887	Human Resources Management	Preventive
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886	Investigate	Detective
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473	Establish/Maintain Documentation	Preventive
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474	Communicate	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206 [Information security incidents shall be responded to in accordance with the documented procedures. A.16.1.5 Control When a nonconformity occurs, the organization shall: review the effectiveness of any corrective action taken; and § 10.1 ¶ 1 d)]	Establish/Maintain Documentation	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Establish/Maintain Documentation	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Establish/Maintain Documentation	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Technical Security	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Technical Security	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Technical Security	Corrective
Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 [Appropriate contacts with relevant authorities shall be maintained. A.6.1.3 Control]	Behavior	Preventive
Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652	Establish/Maintain Documentation	Preventive
Define the business scenarios that require digital forensic evidence. CC ID 08653	Establish/Maintain Documentation	Preventive
Define the circumstances for collecting digital forensic evidence. CC ID 08657 [The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. A.16.1.7 Control]	Establish/Maintain Documentation	Preventive
Conduct forensic investigations in the event of a security compromise. CC ID 11951	Investigate	Corrective
Identify potential sources of digital forensic evidence. CC ID 08651 [The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. A.16.1.7 Control]	Investigate	Preventive
Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 [The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. A.16.1.7 Control]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 [The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. A.16.1.7 Control]	Records Management	Preventive
Establish, implement, and maintain a performance management standard. CC ID 01615	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain rate limiting filters. CC ID 06883	Business Processes	Preventive
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 [The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. A.12.1.3 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 [{methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1 ¶ 2 b)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839	Establish/Maintain Documentation	Preventive
Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 [Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. A.13.1.2 Control]	Establish/Maintain Documentation	Preventive
Include the management requirements for network services in the Service Level Agreement. CC ID 12025 [Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. A.13.1.2 Control]	Establish/Maintain Documentation	Preventive
Include the service levels for network services in the Service Level Agreement. CC ID 12024 [Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. A.13.1.2 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a change control program. CC ID 00886 [Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled. A.12.1.2 Control Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. A.14.2.2 Control For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); and § 7.5.3 ¶ 2 e) The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. § 9.3 ¶ 3]	Establish/Maintain Documentation	Preventive
Include potential consequences of unintended changes in the change control program. CC ID 12243 [The organization shall control planned changes and review the ckground-color:#F0BBBC;" class="term_primary-noun">consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 3]	Establish/Maintain Documentation	Preventive
Include version control in the change control program. CC ID 13119	Establish/Maintain Documentation	Preventive
Include service design and transition in the change control program. CC ID 13920	Establish/Maintain Documentation	Preventive
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Maintenance	Preventive
Integrate configuration management procedures into the change control program. CC ID 13646	Technical Security	Preventive
Establish, implement, and maintain a back-out plan. CC ID 13623	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Establish/Maintain Documentation	Preventive
Approve back-out plans, as necessary. CC ID 13627	Establish/Maintain Documentation	Corrective
Manage change requests. CC ID 00887 [Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. A.14.2.4 Control]	Business Processes	Preventive
Include documentation of the impact level of proposed changes in the change request. CC ID 11942	Establish/Maintain Documentation	Preventive
Establish and maintain a change request approver list. CC ID 06795	Establish/Maintain Documentation	Preventive
Document all change requests in change request forms. CC ID 06794	Establish/Maintain Documentation	Preventive
Test proposed changes prior to their approval. CC ID 00548	Testing	Detective
Examine all changes to ensure they correspond with the change request. CC ID 12345 [Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. A.14.2.4 Control]	Business Processes	Detective
Approve tested change requests. CC ID 11783	Data and Information Management	Preventive
Validate the system before implementing approved changes. CC ID 01510 [When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. A.14.2.3 Control]	Systems Design, Build, and Implementation	Preventive
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807	Behavior	Preventive
Establish, implement, and maintain emergency change procedures. CC ID 00890	Establish/Maintain Documentation	Preventive
Perform emergency changes, as necessary. CC ID 12707	Process or Activity	Preventive
Back up emergency changes after the change has been performed. CC ID 12734	Process or Activity	Preventive
Log emergency changes after they have been performed. CC ID 12733	Establish/Maintain Documentation	Preventive
Perform risk assessments prior to approving change requests. CC ID 00888	Testing	Preventive
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Process or Activity	Detective
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Investigate	Detective
Collect data about the network environment when certifying the network. CC ID 13125	Investigate	Detective
Implement changes according to the change control program. CC ID 11776 [The organization shall control "term_primary-noun">planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 3]	Business Processes	Preventive
Provide audit trails for all approved changes. CC ID 13120	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch management program. CC ID 00896	Process or Activity	Preventive
Document the sources of all software updates. CC ID 13316	Establish/Maintain Documentation	Preventive
Implement patch management software, as necessary. CC ID 12094	Technical Security	Preventive
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Technical Security	Preventive
Establish, implement, and maintain a patch management policy. CC ID 16432	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain patch management procedures. CC ID 15224	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch log. CC ID 01642	Establish/Maintain Documentation	Preventive
Review the patch log for missing patches. CC ID 13186	Technical Security	Detective
Perform a patch test prior to deploying a patch. CC ID 00898	Testing	Detective
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Business Processes	Preventive
Deploy software patches in accordance with organizational standards. CC ID 07032	Configuration	Corrective
Test software patches for any potential compromise of the system's security. CC ID 13175	Testing	Detective
Patch software. CC ID 11825	Technical Security	Corrective
Patch the operating system, as necessary. CC ID 11824	Technical Security	Corrective
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Configuration	Corrective
Remove outdated software after software has been updated. CC ID 11792	Configuration	Corrective
Update computer firmware, as necessary. CC ID 11755	Configuration	Corrective
Review changes to computer firmware. CC ID 12226	Testing	Detective
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Testing	Detective
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Configuration	Corrective
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Technical Security	Detective
Establish, implement, and maintain a software release policy. CC ID 00893	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388	Systems Design, Build, and Implementation	Preventive
Disseminate and communicate software update information to users and regulators. CC ID 06602	Behavior	Preventive
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Data and Information Management	Preventive
Mitigate the adverse effects of unauthorized changes. CC ID 12244 [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any -color:#F0BBBC;" class="term_primary-noun">adverse effects, as necessary. § 8.1 ¶ 3]	Business Processes	Corrective
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Establish/Maintain Documentation	Detective
Test the system's operational functionality after implementing approved changes. CC ID 06294	Testing	Detective
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 [Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. A.14.2.9 Control]	Testing	Detective
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Establish/Maintain Documentation	Corrective
Update associated documentation after the system configuration has been changed. CC ID 00891	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a configuration change log. CC ID 08710	Configuration	Detective
Document approved configuration deviations. CC ID 08711	Establish/Maintain Documentation	Corrective

Physical and environmental protection

239

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Physical and environmental protection CC ID 00709	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a physical security program. CC ID 11757	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an anti-tamper protection program. CC ID 10638	Monitor and Evaluate Occurrences	Detective
Protect assets from tampering or unapproved substitution. CC ID 11902 [Logging facilities and log information shall be protected against tampering and unauthorized access. A.12.4.2 Control]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a facility physical security program. CC ID 00711 [Physical security for offices, rooms and facilities shall be designed and applied. A.11.1.3 Control]	Establish/Maintain Documentation	Preventive
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Establish/Maintain Documentation	Preventive
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Behavior	Preventive
Protect the facility from crime. CC ID 06347	Physical and Environmental Protection	Preventive
Define communication methods for reporting crimes. CC ID 06349	Establish/Maintain Documentation	Preventive
Include identification cards or badges in the physical security program. CC ID 14818	Establish/Maintain Documentation	Preventive
Protect facilities from eavesdropping. CC ID 02222	Physical and Environmental Protection	Preventive
Inspect telephones for eavesdropping devices. CC ID 02223	Physical and Environmental Protection	Detective
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Technical Security	Preventive
Establish, implement, and maintain security procedures for virtual meetings CC ID 15581	Establish/Maintain Documentation	Preventive
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440	Physical and Environmental Protection	Preventive
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441	Physical and Environmental Protection	Preventive
Create security zones in facilities, as necessary. CC ID 16295	Physical and Environmental Protection	Preventive
Establish clear zones around any sensitive facilities. CC ID 02214	Physical and Environmental Protection	Preventive
Establish, implement, and maintain floor plans. CC ID 16419	Establish/Maintain Documentation	Preventive
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Establish/Maintain Documentation	Preventive
Post floor plans of critical facilities in secure locations. CC ID 16138	Communicate	Preventive
Post and maintain security signage for all facilities. CC ID 02201	Establish/Maintain Documentation	Preventive
Inspect items brought into the facility. CC ID 06341	Physical and Environmental Protection	Preventive
Maintain all physical security systems. CC ID 02206	Physical and Environmental Protection	Preventive
Detect anomalies in physical barriers. CC ID 13533	Investigate	Detective
Maintain all security alarm systems. CC ID 11669	Physical and Environmental Protection	Preventive
Identify and document physical access controls for all physical entry points. CC ID 01637 [Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. A.11.1.2 Control]	Establish/Maintain Documentation	Preventive
Control physical access to (and within) the facility. CC ID 01329	Physical and Environmental Protection	Preventive
Establish, implement, and maintain physical access procedures. CC ID 13629	Establish/Maintain Documentation	Preventive
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and Environmental Protection	Preventive
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and Environmental Protection	Detective
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Establish/Maintain Documentation	Preventive
Escort visitors within the facility, as necessary. CC ID 06417	Establish/Maintain Documentation	Preventive
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and Environmental Protection	Preventive
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Testing	Preventive
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Behavior	Preventive
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Establish/Maintain Documentation	Preventive
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Establish/Maintain Documentation	Preventive
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Establish/Maintain Documentation	Preventive
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and Environmental Protection	Corrective
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain physical identification procedures. CC ID 00713	Establish/Maintain Documentation	Preventive
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Human Resources Management	Preventive
Implement physical identification processes. CC ID 13715	Process or Activity	Preventive
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Process or Activity	Preventive
Issue photo identification badges to all employees. CC ID 12326	Physical and Environmental Protection	Preventive
Implement operational requirements for card readers. CC ID 02225	Testing	Preventive
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Establish/Maintain Documentation	Preventive
Document all lost badges in a lost badge list. CC ID 12448	Establish/Maintain Documentation	Corrective
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and Environmental Protection	Preventive
Manage constituent identification inside the facility. CC ID 02215	Behavior	Preventive
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Human Resources Management	Preventive
Manage visitor identification inside the facility. CC ID 11670	Physical and Environmental Protection	Preventive
Issue visitor identification badges to all non-employees. CC ID 00543	Behavior	Preventive
Secure unissued visitor identification badges. CC ID 06712	Physical and Environmental Protection	Preventive
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Behavior	Preventive
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and Environmental Protection	Preventive
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Establish/Maintain Documentation	Preventive
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Process or Activity	Preventive
Include error handling controls in identification issuance procedures. CC ID 13709	Establish/Maintain Documentation	Preventive
Include an appeal process in the identification issuance procedures. CC ID 15428	Business Processes	Preventive
Include information security in the identification issuance procedures. CC ID 15425	Establish/Maintain Documentation	Preventive
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Process or Activity	Preventive
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Establish/Maintain Documentation	Preventive
Include an identity registration process in the identification issuance procedures. CC ID 11671	Establish/Maintain Documentation	Preventive
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and Environmental Protection	Preventive
Enforce dual control for badge assignments. CC ID 12328	Physical and Environmental Protection	Preventive
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and Environmental Protection	Preventive
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and Environmental Protection	Preventive
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Establish/Maintain Documentation	Preventive
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Human Resources Management	Preventive
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Establish/Maintain Documentation	Preventive
Prevent tailgating through physical entry points. CC ID 06685	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a door security standard. CC ID 06686	Establish/Maintain Documentation	Preventive
Install doors so that exposed hinges are on the secured side. CC ID 06687	Configuration	Preventive
Install emergency doors to permit egress only. CC ID 06688	Configuration	Preventive
Install contact alarms on doors, as necessary. CC ID 06710	Configuration	Preventive
Use locks to protect against unauthorized physical access. CC ID 06342	Physical and Environmental Protection	Preventive
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650	Configuration	Preventive
Test locks for physical security vulnerabilities. CC ID 04880	Testing	Detective
Secure unissued access mechanisms. CC ID 06713	Technical Security	Preventive
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748	Establish/Maintain Documentation	Preventive
Change cipher lock codes, as necessary. CC ID 06651	Technical Security	Preventive
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a window security standard. CC ID 06689	Establish/Maintain Documentation	Preventive
Install contact alarms on openable windows, as necessary. CC ID 06690	Configuration	Preventive
Install glass break alarms on windows, as necessary. CC ID 06691	Configuration	Preventive
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204	Establish/Maintain Documentation	Preventive
Install and maintain security lighting at all physical entry points. CC ID 02205	Physical and Environmental Protection	Preventive
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and Environmental Protection	Preventive
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 [{delivery area} Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. A.11.1.6 Control]	Physical and Environmental Protection	Preventive
Secure the loading dock with physical access controls or security guards. CC ID 06703	Physical and Environmental Protection	Preventive
Isolate loading areas from information processing facilities, if possible. CC ID 12028 [{delivery area} Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. A.11.1.6 Control]	Physical and Environmental Protection	Preventive
Screen incoming mail and deliveries. CC ID 06719	Physical and Environmental Protection	Preventive
Protect access to the facility's mechanical systems area. CC ID 02212	Physical and Environmental Protection	Preventive
Establish, implement, and maintain elevator security guidelines. CC ID 02232	Physical and Environmental Protection	Preventive
Establish, implement, and maintain stairwell security guidelines. CC ID 02233	Physical and Environmental Protection	Preventive
Establish, implement, and maintain glass opening security guidelines. CC ID 02234	Physical and Environmental Protection	Preventive
Establish, implement, and maintain after hours facility access procedures. CC ID 06340	Establish/Maintain Documentation	Preventive
Establish a security room, if necessary. CC ID 00738	Physical and Environmental Protection	Preventive
Implement physical security standards for mainframe rooms or data centers. CC ID 00749	Physical and Environmental Protection	Preventive
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and Environmental Protection	Preventive
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and Environmental Protection	Preventive
Lock all lockable equipment cabinets. CC ID 11673	Physical and Environmental Protection	Detective
Establish, implement, and maintain vault physical security standards. CC ID 02203	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 [Procedures for working in secure areas shall be designed and applied. A.11.1.5 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain emergency exit procedures. CC ID 01252	Establish/Maintain Documentation	Preventive
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Establish/Maintain Documentation	Preventive
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Communicate	Preventive
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638	Monitor and Evaluate Occurrences	Detective
Establish and maintain a visitor log. CC ID 00715	Log Management	Preventive
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Investigate	Detective
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700	Establish/Maintain Documentation	Preventive
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649	Behavior	Preventive
Record the visitor's name in the visitor log. CC ID 00557	Log Management	Preventive
Record the visitor's organization in the visitor log. CC ID 12121	Log Management	Preventive
Record the visitor's acceptable access areas in the visitor log. CC ID 12237	Log Management	Preventive
Record the date and time of entry in the visitor log. CC ID 13255	Establish/Maintain Documentation	Preventive
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466	Establish/Maintain Documentation	Preventive
Retain all records in the visitor log as prescribed by law. CC ID 00572	Log Management	Preventive
Establish, implement, and maintain a physical access log. CC ID 12080	Establish/Maintain Documentation	Preventive
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641	Log Management	Preventive
Log when the vault is accessed. CC ID 06725	Log Management	Detective
Log when the cabinet is accessed. CC ID 11674	Log Management	Detective
Store facility access logs in off-site storage. CC ID 06958	Log Management	Preventive
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Monitor and Evaluate Occurrences	Preventive
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328	Monitor and Evaluate Occurrences	Detective
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609	Monitor and Evaluate Occurrences	Detective
Configure video cameras to cover all physical entry points. CC ID 06302	Configuration	Preventive
Configure video cameras to prevent physical tampering or disablement. CC ID 06303	Configuration	Preventive
Retain video events according to Records Management procedures. CC ID 06304	Records Management	Preventive
Monitor physical entry point alarms. CC ID 01639	Physical and Environmental Protection	Detective
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677	Monitor and Evaluate Occurrences	Detective
Monitor for alarmed security doors being propped open. CC ID 06684	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain physical security threat reports. CC ID 02207	Establish/Maintain Documentation	Preventive
Build and maintain fencing, as necessary. CC ID 02235 [{sensitive information} Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. A.11.1.1 Control]	Physical and Environmental Protection	Preventive
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352	Physical and Environmental Protection	Preventive
Employ security guards to provide physical security, as necessary. CC ID 06653	Establish Roles	Preventive
Establish, implement, and maintain a facility wall standard. CC ID 06692	Establish/Maintain Documentation	Preventive
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372	Physical and Environmental Protection	Preventive
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693	Configuration	Preventive
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980	Behavior	Preventive
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981	Behavior	Preventive
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982	Business Processes	Preventive
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983	Behavior	Preventive
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984	Behavior	Preventive
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718	Physical and Environmental Protection	Preventive
Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [Media containing information shall be protected against unauthorized access, misuse or corruption during transportation. A.8.3.3 Control]	Records Management	Preventive
Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321	Log Management	Preventive
Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258	Technical Security	Preventive
Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964	Records Management	Preventive
Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286	Physical and Environmental Protection	Preventive
Transport restricted media using a delivery method that can be tracked. CC ID 11777	Business Processes	Preventive
Track restricted storage media while it is in transit. CC ID 00967	Data and Information Management	Detective
Restrict physical access to distributed assets. CC ID 11865 [{environmental hazards} Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. A.11.2.1 Control]	Physical and Environmental Protection	Preventive
House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873	Physical and Environmental Protection	Preventive
Protect electronic storage media with physical access controls. CC ID 00720	Physical and Environmental Protection	Preventive
Protect distributed assets against theft. CC ID 06799	Physical and Environmental Protection	Preventive
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540	Establish/Maintain Documentation	Preventive
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 [Equipment, information or software shall not be taken off-site without prior authorization. A.11.2.5 Control]	Process or Activity	Preventive
Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 [Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises. A.11.2.6 Control]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [Users shall ensure that unattended equipment has appropriate protection. A.11.2.8 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a locking screen saver policy. CC ID 06717	Establish/Maintain Documentation	Preventive
Encrypt information stored on devices in publicly accessible areas. CC ID 16410	Data and Information Management	Preventive
Secure workstations to desks with security cables. CC ID 04724	Physical and Environmental Protection	Preventive
Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. A.6.2.1 Control]	Establish/Maintain Documentation	Preventive
Require users to refrain from leaving mobile devices unattended. CC ID 16446	Business Processes	Preventive
Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292	Establish/Maintain Documentation	Preventive
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242	Data and Information Management	Preventive
Include legal requirements in the mobile device security guidelines. CC ID 12291	Establish/Maintain Documentation	Preventive
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452	Physical and Environmental Protection	Preventive
Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290	Establish/Maintain Documentation	Preventive
Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289	Establish/Maintain Documentation	Preventive
Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288	Establish/Maintain Documentation	Preventive
Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430	Physical and Environmental Protection	Preventive
Refrain from pairing bluetooth devices in unsecured areas. CC ID 12429	Physical and Environmental Protection	Preventive
Encrypt information stored on mobile devices. CC ID 01422	Data and Information Management	Preventive
Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 [{sensitive information} Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. A.11.1.1 Control]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain asset return procedures. CC ID 04537	Establish/Maintain Documentation	Preventive
Require the return of all assets upon notification an individual is terminated. CC ID 06679 [{require} All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement. A.8.1.4 Control]	Behavior	Preventive
Establish, implement, and maintain a clean desk policy. CC ID 06534 [A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. A.11.2.9 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a clear screen policy. CC ID 12436 [A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. A.11.2.9 Control]	Technical Security	Preventive
Establish, implement, and maintain an environmental control program. CC ID 00724 [Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. A.11.1.4 Control]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain clean energy standards. CC ID 16285	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain environmental control procedures. CC ID 12246	Establish/Maintain Documentation	Preventive
Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708	Configuration	Preventive
Protect power equipment and power cabling from damage or destruction. CC ID 01438 [{power cabling} Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. A.11.2.3 Control Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. A.11.2.2 Control]	Physical and Environmental Protection	Preventive
Install and maintain power distribution boards. CC ID 16486	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a battery room, as necessary. CC ID 06706	Configuration	Preventive
Establish and maintain a generator room, as necessary. CC ID 06704	Configuration	Preventive
Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676	Physical and Environmental Protection	Preventive
Establish, implement, and maintain facility maintenance procedures. CC ID 00710	Establish/Maintain Documentation	Preventive
Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712	Physical and Environmental Protection	Preventive
Design the Information Technology facility with a low profile. CC ID 16140	Physical and Environmental Protection	Preventive
Prohibit signage indicating computer room location and uses. CC ID 06343	Physical and Environmental Protection	Preventive
Require critical facilities to have adequate room for facility maintenance. CC ID 06361	Physical and Environmental Protection	Preventive
Require critical facilities to have adequate room for evacuation. CC ID 11686	Physical and Environmental Protection	Preventive
Build critical facilities according to applicable building codes. CC ID 06366	Physical and Environmental Protection	Preventive
Build critical facilities with fire resistant materials. CC ID 06365	Physical and Environmental Protection	Preventive
Build critical facilities with materials that limit electromagnetic interference. CC ID 16131	Physical and Environmental Protection	Preventive
Build critical facilities with water-resistant materials. CC ID 11679	Physical and Environmental Protection	Preventive
Monitor operational conditions at unmanned facilities. CC ID 06327	Physical and Environmental Protection	Preventive
Remotely control operational conditions at unmanned facilities. CC ID 11680	Technical Security	Preventive
Inspect and maintain the facility and supporting assets. CC ID 06345	Physical and Environmental Protection	Preventive
Test and inspect assets under full load working conditions. CC ID 06356	Testing	Detective
Define selection criteria for facility locations. CC ID 06351	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain facility demolition procedures. CC ID 16133	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain work environment requirements. CC ID 06613	Establish/Maintain Documentation	Preventive
Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141	Physical and Environmental Protection	Preventive
Establish, implement, and maintain system cleanliness requirements. CC ID 06614	Establish/Maintain Documentation	Preventive
House system components in areas where the physical damage potential is minimized. CC ID 01623 [{environmental hazards} Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. A.11.2.1 Control]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695	Establish/Maintain Documentation	Preventive
Install and maintain fire protection equipment. CC ID 00728	Configuration	Preventive
Install and maintain fire suppression systems. CC ID 00729	Configuration	Preventive
Install and maintain smoke detectors. CC ID 15264	Physical and Environmental Protection	Preventive
Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888	Physical and Environmental Protection	Preventive
Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362	Physical and Environmental Protection	Preventive
Conduct fire drills, as necessary. CC ID 13985	Process or Activity	Preventive
Employ environmental protections. CC ID 12570	Process or Activity	Preventive
Monitor and review environmental protections. CC ID 12571	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472	Establish/Maintain Documentation	Preventive
Install and maintain seismic detectors in critical facilities. CC ID 06364	Physical and Environmental Protection	Detective
Protect physical assets against static electricity, as necessary. CC ID 06363	Physical and Environmental Protection	Preventive
Install and maintain emergency lighting for use in a power failure. CC ID 01440	Physical and Environmental Protection	Preventive
Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367	Physical and Environmental Protection	Preventive
Establish, implement, and maintain pest control systems in organizational facilities CC ID 16139	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727	Configuration	Preventive
Install and maintain an environment control monitoring system. CC ID 06370	Monitor and Evaluate Occurrences	Detective
Protect air intakes into the organizational facility. CC ID 02211	Physical and Environmental Protection	Preventive
Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368	Configuration	Preventive
Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369	Configuration	Preventive
Install and maintain a moisture control system as a part of the climate control system. CC ID 06694	Configuration	Preventive
Install and maintain hydrogen sensors, as necessary. CC ID 06705	Configuration	Preventive
Protect physical assets from water damage. CC ID 00730	Configuration	Preventive
Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252	Communicate	Preventive
Install and maintain water detection devices. CC ID 11678	Physical and Environmental Protection	Preventive

Privacy protection for information and data

976

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. A.18.1.4 Control]	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Data and Information Management	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Establish/Maintain Documentation	Preventive
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Establish/Maintain Documentation	Preventive
Include contact information in the privacy notice. CC ID 14432	Establish/Maintain Documentation	Preventive
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503	Establish/Maintain Documentation	Preventive
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Establish/Maintain Documentation	Preventive
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Establish/Maintain Documentation	Preventive
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459	Establish/Maintain Documentation	Preventive
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455	Establish/Maintain Documentation	Preventive
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Establish/Maintain Documentation	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457	Establish/Maintain Documentation	Preventive
Include disclosure exceptions in the privacy notice. CC ID 13447	Establish/Maintain Documentation	Preventive
Include the types of personal data disclosed in the privacy notice. CC ID 13446	Establish/Maintain Documentation	Preventive
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Establish/Maintain Documentation	Preventive
Specify the time frame that notice will be given. CC ID 00385	Establish/Maintain Documentation	Preventive
Include the information about the appeal process in the privacy notice. CC ID 15312	Establish/Maintain Documentation	Preventive
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Establish/Maintain Documentation	Preventive
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445	Communicate	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444	Communicate	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Establish/Maintain Documentation	Preventive
Update privacy notices, as necessary. CC ID 13474	Communicate	Preventive
Redeliver privacy notices, as necessary. CC ID 14850	Communicate	Preventive
Deliver privacy notices to third parties, as necessary. CC ID 13473	Communicate	Preventive
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Communicate	Preventive
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Establish/Maintain Documentation	Corrective
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Establish/Maintain Documentation	Preventive
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Establish/Maintain Documentation	Preventive
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Establish/Maintain Documentation	Preventive
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448	Establish/Maintain Documentation	Preventive
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Establish/Maintain Documentation	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Establish/Maintain Documentation	Preventive
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Establish/Maintain Documentation	Preventive
Explain the right to opt out in the opt-out notice. CC ID 13462	Establish/Maintain Documentation	Preventive
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Establish/Maintain Documentation	Preventive
Deliver opt-out notices, as necessary. CC ID 13449	Communicate	Preventive
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Communicate	Preventive
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Communicate	Preventive
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Communicate	Preventive
Notify statutory authorities concerned with the privacy program of the cessation of the organization after being merged or acquired. CC ID 12391	Communicate	Preventive
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Communicate	Preventive
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Communicate	Preventive
Provide the data subject with a notice of participation procedures. CC ID 06241	Establish/Maintain Documentation	Preventive
Deliver notices to the intended parties. CC ID 06240	Data and Information Management	Preventive
Notify data subjects about their privacy rights. CC ID 12989	Communicate	Preventive
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Communicate	Preventive
Require a data protection impact assessment when profiling the data subject. CC ID 12680	Process or Activity	Detective
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Data and Information Management	Preventive
Provide public proof the organization participates in a privacy program. CC ID 12349	Communicate	Preventive
Publish a description of processing activities in an official register. CC ID 00379	Establish/Maintain Documentation	Preventive
Establish and maintain a records request manual. CC ID 00381	Establish/Maintain Documentation	Preventive
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Establish/Maintain Documentation	Preventive
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Behavior	Preventive
Define what is included in registration notices. CC ID 00386	Establish/Maintain Documentation	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Establish/Maintain Documentation	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Establish/Maintain Documentation	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Establish/Maintain Documentation	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Establish/Maintain Documentation	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Establish/Maintain Documentation	Preventive
Provide legal authorities access to personal data, upon request. CC ID 06818	Data and Information Management	Preventive
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Process or Activity	Preventive
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Establish/Maintain Documentation	Preventive
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398	Establish/Maintain Documentation	Preventive
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Process or Activity	Preventive
Document the countries where restricted data may be stored. CC ID 12750	Data and Information Management	Preventive
Protect the rights of students and their parents or legal representatives. CC ID 00222	Data and Information Management	Preventive
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Technical Security	Preventive
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Records Management	Preventive
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Records Management	Preventive
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Records Management	Corrective
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Records Management	Corrective
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Establish/Maintain Documentation	Preventive
Disclose educational data, as necessary. CC ID 00223	Data and Information Management	Preventive
Grant access to education records in support of educational program audits. CC ID 13032	Records Management	Preventive
Grant access to education records in support of external requirements. CC ID 13033	Records Management	Preventive
Disclose statements added to education records, as necessary. CC ID 12990	Communicate	Preventive
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Data and Information Management	Preventive
Disclose education records when written consent is received. CC ID 00224	Data and Information Management	Preventive
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Establish/Maintain Documentation	Preventive
Specify the purpose of the disclosure in the written consent. CC ID 13001	Establish/Maintain Documentation	Preventive
Specify which education records may be disclosed in the written consent. CC ID 13000	Establish/Maintain Documentation	Preventive
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Establish/Maintain Documentation	Preventive
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Communicate	Preventive
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Communicate	Preventive
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Communicate	Preventive
Disclose educational data absent consent to other school officials. CC ID 00226	Data and Information Management	Preventive
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Data and Information Management	Preventive
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Communicate	Preventive
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Data and Information Management	Preventive
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Data and Information Management	Preventive
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Data and Information Management	Preventive
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Data and Information Management	Preventive
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Data and Information Management	Preventive
Disclose educational data absent consent to a crime victim. CC ID 00236	Data and Information Management	Preventive
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Establish/Maintain Documentation	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625	Communicate	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Communicate	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Communicate	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Communicate	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Communicate	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Establish/Maintain Documentation	Preventive
Provide the data subject with the data retention period for personal data. CC ID 12587	Process or Activity	Preventive
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Process or Activity	Preventive
Provide the data subject with the adequacy decision. CC ID 12586	Process or Activity	Preventive
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Process or Activity	Preventive
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Process or Activity	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Data and Information Management	Preventive
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Business Processes	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Business Processes	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Process or Activity	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Process or Activity	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397	Establish/Maintain Documentation	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Data and Information Management	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Establish/Maintain Documentation	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Establish/Maintain Documentation	Preventive
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Establish/Maintain Documentation	Preventive
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Establish/Maintain Documentation	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Establish/Maintain Documentation	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Establish/Maintain Documentation	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Establish/Maintain Documentation	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133	Establish/Maintain Documentation	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Establish/Maintain Documentation	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Establish/Maintain Documentation	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Establish/Maintain Documentation	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Establish/Maintain Documentation	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Establish/Maintain Documentation	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Establish/Maintain Documentation	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Establish/Maintain Documentation	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Establish/Maintain Documentation	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Communicate	Preventive
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Establish/Maintain Documentation	Preventive
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Process or Activity	Preventive
Make telephone directory information available to the public. CC ID 08698	Establish/Maintain Documentation	Preventive
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Technical Security	Preventive
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Establish/Maintain Documentation	Preventive
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Process or Activity	Preventive
Establish, implement, and maintain a privacy policy. CC ID 06281	Establish/Maintain Documentation	Preventive
Include the data subject's rights in the privacy policy. CC ID 16355	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a privacy policy model document. CC ID 14720	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943	Behavior	Preventive
Document privacy policies in clearly written and easily understood language. CC ID 00376	Establish/Maintain Documentation	Detective
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944	Establish/Maintain Documentation	Preventive
Define what is included in the privacy policy. CC ID 00404	Establish/Maintain Documentation	Preventive
Define the information being collected in the privacy policy. CC ID 13115	Establish/Maintain Documentation	Preventive
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110	Establish/Maintain Documentation	Preventive
Include the means by which information is collected in the privacy policy. CC ID 13114	Establish/Maintain Documentation	Preventive
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368	Establish/Maintain Documentation	Corrective
Include roles and responsibilities in the privacy policy. CC ID 14669	Establish/Maintain Documentation	Preventive
Include management commitment in the privacy policy. CC ID 14668	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the privacy policy. CC ID 14667	Establish/Maintain Documentation	Preventive
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854	Establish/Maintain Documentation	Preventive
Include compliance requirements in the privacy policy. CC ID 14666	Establish/Maintain Documentation	Preventive
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111	Establish/Maintain Documentation	Preventive
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367	Establish/Maintain Documentation	Corrective
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366	Establish/Maintain Documentation	Preventive
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365	Establish/Maintain Documentation	Preventive
Include a complaint form in the privacy policy. CC ID 12364	Establish/Maintain Documentation	Preventive
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405	Establish/Maintain Documentation	Preventive
Include the processing purpose in the privacy policy. CC ID 00406	Establish/Maintain Documentation	Preventive
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117	Establish/Maintain Documentation	Preventive
Include the data subject categories being processed in the privacy policy. CC ID 00407	Establish/Maintain Documentation	Preventive
Define the retention period for collected information in the privacy policy. CC ID 13116	Establish/Maintain Documentation	Preventive
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408	Establish/Maintain Documentation	Preventive
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409	Establish/Maintain Documentation	Preventive
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410	Establish/Maintain Documentation	Preventive
Include instructions on how to opt-out in the privacy policy. CC ID 00411	Establish/Maintain Documentation	Preventive
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363	Establish/Maintain Documentation	Preventive
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454	Establish/Maintain Documentation	Preventive
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452	Establish/Maintain Documentation	Preventive
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390	Establish/Maintain Documentation	Preventive
Post the privacy policy in an easily seen location. CC ID 00401	Establish/Maintain Documentation	Preventive
Define who will receive the privacy policy. CC ID 00402	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346	Communicate	Preventive
Establish, implement, and maintain privacy procedures. CC ID 14665	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664	Communicate	Preventive
Establish, implement, and maintain a privacy plan. CC ID 14672	Establish/Maintain Documentation	Preventive
Align the enterprise architecture with the privacy plan. CC ID 14705	Process or Activity	Preventive
Approve the privacy plan. CC ID 14700	Business Processes	Preventive
Include privacy requirements in the privacy plan. CC ID 14699	Establish/Maintain Documentation	Preventive
Include the information types in the privacy plan. CC ID 14695	Establish/Maintain Documentation	Preventive
Include threats in the privacy plan. CC ID 14694	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the privacy plan. CC ID 14702	Establish/Maintain Documentation	Preventive
Include a description of the operational context in the privacy plan. CC ID 14692	Establish/Maintain Documentation	Preventive
Include risk assessment results in the privacy plan. CC ID 14701	Establish/Maintain Documentation	Preventive
Include the security categorizations and rationale in the privacy plan. CC ID 14690	Establish/Maintain Documentation	Preventive
Include security controls in the privacy plan. CC ID 14681	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680	Communicate	Preventive
Include a description of the operational environment in the privacy plan. CC ID 14679	Establish/Maintain Documentation	Preventive
Include network diagrams in the privacy plan. CC ID 14678	Establish/Maintain Documentation	Preventive
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a privacy report. CC ID 14754	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761	Communicate	Preventive
Protect private communications in keeping with compliance requirements. CC ID 14334	Business Processes	Preventive
Disseminate private communications when required by law. CC ID 14335	Communicate	Corrective
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Establish/Maintain Documentation	Preventive
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435	Human Resources Management	Preventive
Refrain from charging a fee to implement an opt-out request. CC ID 13877	Business Processes	Preventive
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433	Establish/Maintain Documentation	Preventive
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438	Establish/Maintain Documentation	Preventive
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Establish/Maintain Documentation	Preventive
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Establish/Maintain Documentation	Preventive
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Establish/Maintain Documentation	Preventive
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Establish/Maintain Documentation	Preventive
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Establish/Maintain Documentation	Preventive
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Establish/Maintain Documentation	Preventive
Include agreement termination information in the disclosure authorization form. CC ID 13437	Establish/Maintain Documentation	Preventive
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781	Business Processes	Preventive
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Business Processes	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391	Data and Information Management	Preventive
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Business Processes	Preventive
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Business Processes	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451	Business Processes	Preventive
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Establish/Maintain Documentation	Preventive
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Records Management	Preventive
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605	Data and Information Management	Preventive
Refrain from obtaining consent through deception. CC ID 13556	Data and Information Management	Preventive
Give individuals the ability to change the uses of their personal data. CC ID 00469	Data and Information Management	Preventive
Notify data subjects of the implications of withdrawing consent. CC ID 13551	Data and Information Management	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Establish/Maintain Documentation	Preventive
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848	Human Resources Management	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Establish Roles	Preventive
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Human Resources Management	Preventive
Notify the supervisory authority. CC ID 00472	Behavior	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Process or Activity	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Communicate	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Communicate	Corrective
Cooperate with Data Protection Authorities. CC ID 06870	Data and Information Management	Preventive
Submit a safe harbor self-certification letter. CC ID 06871	Establish/Maintain Documentation	Preventive
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647	Human Resources Management	Preventive
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584	Establish/Maintain Documentation	Preventive
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Establish/Maintain Documentation	Preventive
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Establish/Maintain Documentation	Preventive
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Establish/Maintain Documentation	Preventive
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Establish/Maintain Documentation	Preventive
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Establish/Maintain Documentation	Preventive
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Establish/Maintain Documentation	Preventive
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Establish/Maintain Documentation	Preventive
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Establish/Maintain Documentation	Preventive
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Establish/Maintain Documentation	Preventive
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Establish/Maintain Documentation	Preventive
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Establish/Maintain Documentation	Preventive
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Establish/Maintain Documentation	Preventive
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Establish/Maintain Documentation	Preventive
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Establish/Maintain Documentation	Preventive
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Establish/Maintain Documentation	Preventive
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Establish/Maintain Documentation	Preventive
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Establish/Maintain Documentation	Preventive
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Establish/Maintain Documentation	Preventive
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Establish/Maintain Documentation	Preventive
Notify the data controller of any changes in data processors. CC ID 12648	Communicate	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650	Establish/Maintain Documentation	Preventive
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685	Establish/Maintain Documentation	Preventive
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Establish/Maintain Documentation	Preventive
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938	Establish/Maintain Documentation	Preventive
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937	Establish/Maintain Documentation	Preventive
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936	Establish/Maintain Documentation	Preventive
Include the duration of processing in the Data Processing Contract. CC ID 14935	Establish/Maintain Documentation	Preventive
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Establish/Maintain Documentation	Preventive
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679	Establish/Maintain Documentation	Preventive
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678	Establish/Maintain Documentation	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676	Establish/Maintain Documentation	Preventive
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686	Human Resources Management	Preventive
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670	Establish/Maintain Documentation	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Establish/Maintain Documentation	Preventive
Display or print the least amount of personal data necessary. CC ID 04643	Data and Information Management	Preventive
Redact confidential information from public information, as necessary. CC ID 06872	Data and Information Management	Preventive
Notify the data subject of the collection purpose. CC ID 00095	Behavior	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Data and Information Management	Preventive
Document the law that requires restricted data to be collected. CC ID 00103	Establish/Maintain Documentation	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Behavior	Preventive
Notify the data subject of changes to personal data use. CC ID 00105	Behavior	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Establish/Maintain Documentation	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Establish/Maintain Documentation	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Establish/Maintain Documentation	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government CC ID 15447	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Behavior	Preventive
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Establish/Maintain Documentation	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125	Data and Information Management	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Records Management	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Communicate	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414	Establish/Maintain Documentation	Preventive
Provide individuals with information about where their personal data was processed. CC ID 00415	Data and Information Management	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416	Data and Information Management	Preventive
Provide individuals with information about disclosure of their personal data. CC ID 00417	Data and Information Management	Preventive
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Data and Information Management	Preventive
Provide assistance to requesters in preparing data access requests. CC ID 13588	Data and Information Management	Preventive
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Establish/Maintain Documentation	Preventive
Define what is to be included in a data access request. CC ID 08699	Establish/Maintain Documentation	Preventive
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Business Processes	Preventive
Respond to data access requests in a timely manner. CC ID 00421	Behavior	Preventive
Delay responding to data access requests, as necessary. CC ID 15504	Data and Information Management	Preventive
Expedite the processing of data access requests, as necessary. CC ID 15496	Data and Information Management	Preventive
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422	Behavior	Detective
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Behavior	Detective
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Business Processes	Preventive
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Process or Activity	Preventive
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Establish/Maintain Documentation	Preventive
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Data and Information Management	Preventive
Document the outcome of the personal data access request review procedure. CC ID 00455	Data and Information Management	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811	Establish/Maintain Documentation	Preventive
Submit personal data removal requests in writing. CC ID 11973	Records Management	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Establish/Maintain Documentation	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Records Management	Corrective
Notify third parties of data access requests that relates to the third party. CC ID 08703	Establish/Maintain Documentation	Preventive
Allow affected third parties to consent or object to a data access request. CC ID 08704	Process or Activity	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Establish/Maintain Documentation	Preventive
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299	Data and Information Management	Preventive
Disclose de-identified data, as necessary. CC ID 13034	Communicate	Preventive
Notify the data subject after personal data is used or disclosed. CC ID 06247	Behavior	Preventive
Refrain from processing restricted data, as necessary. CC ID 12551	Records Management	Preventive
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Process or Activity	Preventive
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667	Process or Activity	Preventive
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Business Processes	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Process or Activity	Detective
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Process or Activity	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Data and Information Management	Preventive
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Business Processes	Preventive
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Business Processes	Preventive
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Business Processes	Preventive
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Business Processes	Preventive
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Business Processes	Preventive
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Business Processes	Preventive
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Business Processes	Preventive
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Business Processes	Preventive
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Process or Activity	Preventive
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Establish/Maintain Documentation	Preventive
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Records Management	Preventive
Include the data processor's contact information in the record of processing activities. CC ID 12657	Records Management	Preventive
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Records Management	Preventive
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Records Management	Preventive
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Records Management	Preventive
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Records Management	Preventive
Include the personal data processing categories in the record of processing activities. CC ID 12661	Records Management	Preventive
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Records Management	Preventive
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Records Management	Preventive
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Records Management	Preventive
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Records Management	Preventive
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Records Management	Preventive
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Records Management	Preventive
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Records Management	Preventive
Include the data controller's contact information in the record of processing activities. CC ID 12637	Records Management	Preventive
Process restricted data lawfully and carefully. CC ID 00086	Establish Roles	Preventive
Analyze requirements for processing personal data in contracts. CC ID 12550	Investigate	Detective
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Technical Security	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Data and Information Management	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Communicate	Corrective
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Records Management	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Data and Information Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Records Management	Preventive
Rely upon the warrant of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Process or Activity	Preventive
Rely upon the warrant of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Records Management	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Data and Information Management	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Establish/Maintain Documentation	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Data and Information Management	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Establish/Maintain Documentation	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Establish/Maintain Documentation	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Data and Information Management	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Data and Information Management	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Data and Information Management	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180	Data and Information Management	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Data and Information Management	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Data and Information Management	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Data and Information Management	Preventive
Process personal data when it is processed during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185	Data and Information Management	Preventive
Process traffic data in a controlled manner. CC ID 00130	Data and Information Management	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Data and Information Management	Preventive
Process personal data when it is publicly accessible. CC ID 00187	Data and Information Management	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Data and Information Management	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010	Business Processes	Preventive
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Communicate	Corrective
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Data and Information Management	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190	Data and Information Management	Preventive
Process personal data in order to advance the public interest. CC ID 00191	Data and Information Management	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192	Data and Information Management	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Data and Information Management	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Data and Information Management	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Data and Information Management	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Data and Information Management	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Data and Information Management	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Data and Information Management	Preventive
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537	Data and Information Management	Preventive
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Process or Activity	Preventive
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Data and Information Management	Preventive
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Data and Information Management	Preventive
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Data and Information Management	Preventive
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Data and Information Management	Preventive
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580	Data and Information Management	Preventive
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Data and Information Management	Preventive
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Data and Information Management	Preventive
Process personal data absent consent in order to perform a contract. CC ID 13586	Data and Information Management	Preventive
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Data and Information Management	Preventive
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Data and Information Management	Preventive
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Data and Information Management	Preventive
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578	Data and Information Management	Preventive
Process personal data absent consent when it is needed by law. CC ID 13577	Data and Information Management	Preventive
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Data and Information Management	Preventive
Process personal data absent consent when it is from publicly available information. CC ID 13576	Data and Information Management	Preventive
Process personal data absent consent to create a credit report. CC ID 15288	Data and Information Management	Preventive
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Data and Information Management	Preventive
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Data and Information Management	Preventive
Process personal data absent consent when produced for business purposes. CC ID 13563	Data and Information Management	Preventive
Process personal data absent consent for handling insurance claims. CC ID 13561	Data and Information Management	Preventive
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Data and Information Management	Preventive
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Data and Information Management	Preventive
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Data and Information Management	Preventive
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132	Behavior	Preventive
Define security breach notification requirement exceptions. CC ID 04797	Establish/Maintain Documentation	Preventive
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086	Communicate	Corrective
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967	Records Management	Preventive
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Communicate	Corrective
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157	Data and Information Management	Preventive
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Establish/Maintain Documentation	Preventive
Define the exceptions to disclosure absent consent. CC ID 00135	Establish/Maintain Documentation	Preventive
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158	Data and Information Management	Detective
Define opt-out exceptions for disclosing restricted data. CC ID 00159	Establish/Maintain Documentation	Preventive
Define how a data subject may give consent. CC ID 00160	Establish/Maintain Documentation	Preventive
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Data and Information Management	Preventive
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267	Communicate	Preventive
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Data and Information Management	Preventive
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270	Data and Information Management	Preventive
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137	Data and Information Management	Preventive
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Data and Information Management	Preventive
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284	Data and Information Management	Preventive
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Data and Information Management	Preventive
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Data and Information Management	Preventive
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Data and Information Management	Preventive
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Data and Information Management	Preventive
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Data and Information Management	Preventive
Disclose personal data absent consent to create a credit report. CC ID 15297	Data and Information Management	Preventive
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Data and Information Management	Preventive
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Data and Information Management	Preventive
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Data and Information Management	Preventive
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285	Data and Information Management	Preventive
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Data and Information Management	Preventive
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Data and Information Management	Preventive
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Data and Information Management	Preventive
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Data and Information Management	Preventive
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Data and Information Management	Preventive
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554	Data and Information Management	Preventive
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138	Data and Information Management	Preventive
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Data and Information Management	Preventive
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552	Data and Information Management	Preventive
Disclose restricted data absent consent in order to perform a contract. CC ID 00139	Data and Information Management	Preventive
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Data and Information Management	Preventive
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290	Data and Information Management	Preventive
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286	Data and Information Management	Preventive
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Data and Information Management	Preventive
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Data and Information Management	Preventive
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Data and Information Management	Preventive
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent in order to protect historical records or archival records CC ID 00147	Data and Information Management	Preventive
Disclose restricted data absent consent for public economic interests. CC ID 00148	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149	Data and Information Management	Preventive
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150	Data and Information Management	Preventive
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151	Data and Information Management	Preventive
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Data and Information Management	Preventive
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Data and Information Management	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154	Data and Information Management	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155	Data and Information Management	Preventive
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161	Data and Information Management	Preventive
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Establish/Maintain Documentation	Detective
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Data and Information Management	Preventive
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796	Data and Information Management	Preventive
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Data and Information Management	Preventive
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Data and Information Management	Preventive
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Data and Information Management	Preventive
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Communicate	Preventive
Establish, implement, and maintain restricted data retention procedures. CC ID 00167	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Establish/Maintain Documentation	Preventive
Capture personal data removal requests. CC ID 13507	Communicate	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972	Records Management	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Process or Activity	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Process or Activity	Preventive
Dispose of personal data removal requests, as necessary. CC ID 13512	Business Processes	Preventive
Limit the redisclosure and reuse of restricted data. CC ID 00168	Data and Information Management	Preventive
Refrain from redisclosing or reusing restricted data. CC ID 00169	Data and Information Management	Preventive
Document the redisclosing restricted data exceptions. CC ID 00170	Establish/Maintain Documentation	Preventive
Redisclose restricted data when the data subject consents. CC ID 00171	Data and Information Management	Preventive
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Data and Information Management	Preventive
Redisclose restricted data in order to protect public revenue. CC ID 00173	Data and Information Management	Preventive
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Data and Information Management	Preventive
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Data and Information Management	Preventive
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Data and Information Management	Preventive
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Data and Information Management	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178	Data and Information Management	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Data and Information Management	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Data and Information Management	Preventive
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Data and Information Management	Preventive
Process Personal Identification Numbers with consent. CC ID 00239	Data and Information Management	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Behavior	Preventive
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Data and Information Management	Preventive
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Data and Information Management	Preventive
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Establish/Maintain Documentation	Preventive
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Data and Information Management	Preventive
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Data and Information Management	Preventive
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Data and Information Management	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Establish/Maintain Documentation	Preventive
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Data and Information Management	Preventive
Review personal data disclosure requests. CC ID 07129	Data and Information Management	Preventive
Notify the data subject of the disclosure purpose. CC ID 15268	Communicate	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434	Establish/Maintain Documentation	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Data and Information Management	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Data and Information Management	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Data and Information Management	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Data and Information Management	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Data and Information Management	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Data and Information Management	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Data and Information Management	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Data and Information Management	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Data and Information Management	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Process or Activity	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Data and Information Management	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Data and Information Management	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Data and Information Management	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Data and Information Management	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Data and Information Management	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Data and Information Management	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Data and Information Management	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Data and Information Management	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Data and Information Management	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Data and Information Management	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Data and Information Management	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Data and Information Management	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453	Data and Information Management	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Communicate	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Data and Information Management	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Process or Activity	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428	Data and Information Management	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Data and Information Management	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Communicate	Preventive
Provide data or records in a reasonable time frame. CC ID 00429	Data and Information Management	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Communicate	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Data and Information Management	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Data and Information Management	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Data and Information Management	Preventive
Provide data at a cost that is not excessive. CC ID 00430	Data and Information Management	Preventive
Provide records or data in a reasonable manner. CC ID 00431	Data and Information Management	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Data and Information Management	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Data and Information Management	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Data and Information Management	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Data and Information Management	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Establish/Maintain Documentation	Preventive
Include cookie management in the privacy framework. CC ID 13809	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain cookie management procedures. CC ID 13810	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Establish/Maintain Documentation	Preventive
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279	Data and Information Management	Preventive
Refrain from collecting personal data, as necessary. CC ID 15269	Data and Information Management	Preventive
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488	Business Processes	Detective
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Establish/Maintain Documentation	Preventive
Use personal data for specified purposes. CC ID 11831	Data and Information Management	Preventive
Post the collection purpose. CC ID 00101	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012	Data and Information Management	Preventive
Document each individual's personal data collection consent preferences. CC ID 06945	Establish/Maintain Documentation	Preventive
Provide explicit consent that is clear and unambiguous. CC ID 00181	Data and Information Management	Preventive
Allow individuals to change their personal data collection consent preferences. CC ID 06946	Data and Information Management	Preventive
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Data and Information Management	Preventive
Notify the data subject of the source of collected personal data. CC ID 00083	Behavior	Preventive
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Data and Information Management	Preventive
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Data and Information Management	Preventive
Establish and maintain a personal data definition. CC ID 00028	Establish/Maintain Documentation	Preventive
Include an individual's name in the personal data definition. CC ID 04710	Data and Information Management	Preventive
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Data and Information Management	Preventive
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Data and Information Management	Preventive
Include an individual's signature in the personal data definition. CC ID 04711	Data and Information Management	Preventive
Include an individual's date of birth in the personal data definition. CC ID 04770	Data and Information Management	Preventive
Include the number of children in the personal data definition. CC ID 13759	Establish/Maintain Documentation	Preventive
Include the individual's religion in the personal data definition. CC ID 13765	Establish/Maintain Documentation	Preventive
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Data and Information Management	Preventive
Include an individual's biometric data in the personal data definition. CC ID 04698	Data and Information Management	Preventive
Include an individual's photographic image in the personal data definition. CC ID 04779	Data and Information Management	Preventive
Include an individual's fingerprints in the personal data definition. CC ID 04689	Data and Information Management	Preventive
Include an individual's address in the personal data definition. CC ID 04687	Data and Information Management	Preventive
Include an individual's telephone number in the personal data definition. CC ID 04688	Data and Information Management	Preventive
Include an individual's fax number in the personal data definition. CC ID 07120	Data and Information Management	Preventive
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Establish/Maintain Documentation	Preventive
Include an individual's license plate number in the personal data definition. CC ID 13763	Establish/Maintain Documentation	Preventive
Include an individual's financial account number in the personal data definition. CC ID 04692	Data and Information Management	Preventive
Include an individual's account balances in the personal data definition. CC ID 13770	Establish/Maintain Documentation	Preventive
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Data and Information Management	Preventive
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Data and Information Management	Preventive
Include an individual's logon credentials in the personal data definition. CC ID 13771	Establish/Maintain Documentation	Preventive
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Data and Information Management	Preventive
Include an individual's passport number in the personal data definition. CC ID 04713	Data and Information Management	Preventive
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Data and Information Management	Preventive
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Data and Information Management	Preventive
Include an individual's military identification number in the personal data definition. CC ID 13083	Establish/Maintain Documentation	Preventive
Include an individual's e-mail address in the personal data definition. CC ID 04696	Data and Information Management	Preventive
Include electronic signatures in the personal data definition. CC ID 04697	Data and Information Management	Preventive
Include an individual's payment card information in the personal data definition. CC ID 04751	Data and Information Management	Preventive
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Data and Information Management	Preventive
Include an individual's payment card service code in the personal data definition. CC ID 04753	Data and Information Management	Preventive
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Data and Information Management	Preventive
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Data and Information Management	Preventive
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Data and Information Management	Preventive
Include an individual's medical history in the personal data definition. CC ID 04701	Data and Information Management	Preventive
Include an individual's medical treatment in the personal data definition. CC ID 04702	Data and Information Management	Preventive
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Data and Information Management	Preventive
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Data and Information Management	Preventive
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Data and Information Management	Preventive
Include an individual's health insurance information in the personal data definition. CC ID 04705	Data and Information Management	Preventive
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Data and Information Management	Preventive
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Data and Information Management	Preventive
Include an individual's education information in the personal data definition. CC ID 04714	Data and Information Management	Preventive
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Data and Information Management	Preventive
Include an individual's employment information in the personal data definition. CC ID 04715	Data and Information Management	Preventive
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Data and Information Management	Preventive
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Data and Information Management	Preventive
Include an individual's employment history in the personal data definition. CC ID 04716	Data and Information Management	Preventive
Include an individual's place of employment in the personal data definition. CC ID 04765	Data and Information Management	Preventive
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Data and Information Management	Preventive
Include an individual's property information in the personal data definition. CC ID 04780	Data and Information Management	Preventive
Include an individual's property title in the personal data definition. CC ID 04781	Data and Information Management	Preventive
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Data and Information Management	Preventive
Include hardware asset identification information in the personal data definition. CC ID 07123	Data and Information Management	Preventive
Include MAC addresses in the personal data definition. CC ID 04778	Data and Information Management	Preventive
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Data and Information Management	Preventive
Include asset serial numbers in the personal data definition. CC ID 07124	Data and Information Management	Preventive
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Data and Information Management	Preventive
Refrain from including publicly available information in the personal data definition. CC ID 13084	Establish/Maintain Documentation	Preventive
Define specially restricted data. CC ID 00037	Data and Information Management	Preventive
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Data and Information Management	Preventive
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Data and Information Management	Preventive
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Data and Information Management	Preventive
Implement a nondiscrimination principle. CC ID 00081	Data and Information Management	Preventive
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Data and Information Management	Preventive
Preserve each individual's right to human dignity. CC ID 00082	Data and Information Management	Preventive
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Data and Information Management	Preventive
Employ a random number generator to create authenticators. CC ID 13782	Technical Security	Preventive
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Data and Information Management	Preventive
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Behavior	Preventive
Manage health data collection. CC ID 00050	Data and Information Management	Preventive
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Data and Information Management	Preventive
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Data and Information Management	Preventive
Collect Individually Identifiable Health Information for research. CC ID 00054	Data and Information Management	Preventive
Remove personal data before disclosing health data. CC ID 00055	Data and Information Management	Preventive
Give special attention to collecting children's data. CC ID 00038	Data and Information Management	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Behavior	Preventive
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Establish/Maintain Documentation	Preventive
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Data and Information Management	Preventive
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Establish/Maintain Documentation	Preventive
Collect personal data directly from the data subject. CC ID 00011	Data and Information Management	Preventive
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Data and Information Management	Preventive
Provide unlinkability for users and resources. CC ID 04550	Data and Information Management	Preventive
Provide unobservability of users and resources. CC ID 04551	Technical Security	Preventive
Confirm the data quality of personal data collected from third parties. CC ID 13510	Investigate	Detective
Collect restricted data in a fair and lawful manner. CC ID 00010