Back

International > International Organization for Standardization

ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013



AD ID

0001367

AD STATUS

ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

For Purchase

SYNONYMS

ISO 27001-2013

ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements

EFFECTIVE

2013-10-01

ADDED

The document as a whole was last reviewed and released on 2018-05-18T00:00:00-0700.

AD ID

0001367

AD STATUS

For Purchase

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO 27001-2013

ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements

EFFECTIVE

2013-10-01

ADDED

The document as a whole was last reviewed and released on 2018-05-18T00:00:00-0700.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2020 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
265 Mandated Controls - bold    
138 Implied Controls - italic     3049 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
3452 Total
  • Acquisition or sale of facilities, technology, and services
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 Business Processes Preventive
    Establish and maintain an electronic commerce program. CC ID 08617 Business Processes Preventive
    Establish and maintain payment transaction security measures. CC ID 13088 Technical Security Preventive
    Protect the integrity of application service transactions. CC ID 12017
    [Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. A.14.1.3 Control]
    Business Processes Preventive
    Acquire products or services. CC ID 11450 Acquisition/Sale of Assets or Services Preventive
    Discourage the modification of vendor-supplied software. CC ID 12016
    [Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. A.14.2.4 Control]
    Process or Activity Preventive
  • Audits and risk management
    387
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)]
    Establish Roles Preventive
    Manage supply chain audits. CC ID 01203 Audits and Risk Management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and Risk Management Preventive
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 Establish Roles Preventive
    Assign the Board of Directors to address audit findings. CC ID 12396 Human Resources Management Corrective
    Assign the internal Information Technology audit staff to be independent from the Information Technology group reporting to the Board of Directors. CC ID 01184 Establish Roles Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Establish Roles Preventive
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152
    [The organization shall: ensure that the results of the audits are reported to relevant management; and § 9.2 ¶ 2 f)]
    Testing Detective
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 Establish Roles Preventive
    Define and assign the internal Information Technology audit staff's roles and responsibilities. CC ID 00681 Establish Roles Preventive
    Assign the responsibility for operating an internal control system to the internal Information Technology audit staff. CC ID 01187 Establish Roles Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Establish Roles Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 Audits and Risk Management Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Establish/Maintain Documentation Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Establish/Maintain Documentation Preventive
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192 Establish/Maintain Documentation Preventive
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Establish/Maintain Documentation Preventive
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Establish/Maintain Documentation Preventive
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Establish/Maintain Documentation Preventive
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Establish/Maintain Documentation Preventive
    Review the external audit scope, as necessary. CC ID 01202 Audits and Risk Management Preventive
    Review the external audit assertion for accuracy. CC ID 06977 Testing Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978
    [The organization shall define and apply an information security risk assessment process that: evaluates the information security risks: compare the results of risk analysis with the risk criteria established in 6.1.2 a); and § 6.1.2 ¶ 1 e) 1)
    The organization shall define and apply an information security risk assessment process that: ensures that repeated information security risk assessments produce consistent, valid and comparable results; § 6.1.2 ¶ 1 b)]
    Testing Detective
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and Risk Management Detective
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Establish/Maintain Documentation Preventive
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Establish/Maintain Documentation Preventive
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Establish/Maintain Documentation Preventive
    Review the external auditor's qualifications. CC ID 01197 Audits and Risk Management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and Risk Management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199
    [The management review shall include consideration of: changes in external and internal issues that are relevant to the information security management system; § 9.3 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Establish/Maintain Documentation Preventive
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Behavior Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Behavior Preventive
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Establish/Maintain Documentation Preventive
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Establish/Maintain Documentation Preventive
    Establish and maintain an audit program. CC ID 00684
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)]
    Establish/Maintain Documentation Preventive
    Establish and maintain audit policies, as necessary. CC ID 13166 Establish/Maintain Documentation Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [The organization shall: select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; § 9.2 ¶ 2 e)]
    Establish Roles Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [{audit activities} Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes. A.12.7.1 Control]
    Behavior Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and Risk Management Preventive
    Establish and maintain audit terms. CC ID 13880 Establish/Maintain Documentation Preventive
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Process or Activity Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Establish/Maintain Documentation Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Establish/Maintain Documentation Preventive
    Establish and maintain Agreed Upon Procedures that are in scope for the audit. CC ID 13893 Establish/Maintain Documentation Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965
    [{audit activities} Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes. A.12.7.1 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)]
    Establish/Maintain Documentation Preventive
    Include audit subject matter in the audit program. CC ID 07103 Establish/Maintain Documentation Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Establish/Maintain Documentation Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Establish/Maintain Documentation Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Establish/Maintain Documentation Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Establish/Maintain Documentation Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and Risk Management Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Establish/Maintain Documentation Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Establish/Maintain Documentation Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Establish/Maintain Documentation Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Establish/Maintain Documentation Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Establish/Maintain Documentation Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Establish/Maintain Documentation Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Establish/Maintain Documentation Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Establish/Maintain Documentation Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Establish/Maintain Documentation Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Establish/Maintain Documentation Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Establish/Maintain Documentation Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Establish/Maintain Documentation Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Establish/Maintain Documentation Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Establish/Maintain Documentation Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Establish/Maintain Documentation Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Establish/Maintain Documentation Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Establish/Maintain Documentation Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Establish/Maintain Documentation Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Establish/Maintain Documentation Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Establish/Maintain Documentation Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Establish/Maintain Documentation Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Establish/Maintain Documentation Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Establish/Maintain Documentation Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Establish/Maintain Documentation Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Establish/Maintain Documentation Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Establish/Maintain Documentation Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Establish/Maintain Documentation Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793
    [The organization shall: define the audit criteria and scope for each audit; § 9.2 ¶ 2 d)]
    Communicate Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Establish/Maintain Documentation Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Establish/Maintain Documentation Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795
    [The organization shall: define the audit criteria and scope for each audit; § 9.2 ¶ 2 d)]
    Audits and Risk Management Preventive
    Establish and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)]
    Establish/Maintain Documentation Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Establish/Maintain Documentation Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Establish/Maintain Documentation Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Establish/Maintain Documentation Corrective
    Include materiality levels in the audit terms. CC ID 01238 Establish/Maintain Documentation Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Establish/Maintain Documentation Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Establish/Maintain Documentation Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and Risk Management Detective
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Behavior Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and Risk Management Preventive
    Audit in scope audit items and compliance documents as defined in the audit scope. CC ID 06730
    [The organization shall: select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; § 9.2 ¶ 2 e)]
    Audits and Risk Management Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and Risk Management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and Risk Management Detective
    Audit policies, standards, and procedures. CC ID 12927
    [The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: is effectively implemented and maintained. § 9.2 ¶ 1 b)]
    Audits and Risk Management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Investigate Detective
    Audit information systems, as necessary. CC ID 13010 Investigate Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Investigate Detective
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Testing Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Testing Detective
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Process or Activity Detective
    Edit the audit assertion for accuracy. CC ID 07030 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Testing Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Process or Activity Detective
    Document test plans for auditing in scope controls. CC ID 06985 Testing Detective
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984 Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155
    [{actions to address risks and opportunities} When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: how to evaluate the effectiveness of these actions. § 6.1.1 ¶ 2 e) 2)]
    Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and Risk Management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and Risk Management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Testing Detective
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Establish/Maintain Documentation Preventive
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112
    [The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: § 9.2 ¶ 1]
    Testing Preventive
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and Risk Management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and Risk Management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and Risk Management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and Risk Management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and Risk Management Preventive
    Conduct interviews of auditees, as necessary. CC ID 07188 Testing Detective
    Explain the goals of the interview to the auditee. CC ID 07189 Behavior Detective
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Process or Activity Corrective
    Establish and maintain work papers, as necessary. CC ID 13891 Establish/Maintain Documentation Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Establish/Maintain Documentation Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Establish/Maintain Documentation Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Establish/Maintain Documentation Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Establish/Maintain Documentation Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Establish/Maintain Documentation Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and Risk Management Detective
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Establish/Maintain Documentation Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Establish/Maintain Documentation Preventive
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Testing Detective
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Testing Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Monitor and Evaluate Occurrences Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Establish Roles Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902
    [The management review shall include consideration of: feedback from interested parties; § 9.3 ¶ 2 d)]
    Business Processes Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Monitor and Evaluate Occurrences Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Business Processes Preventive
    Establish and maintain a Statement on the Level of Compliance. CC ID 12499 Establish/Maintain Documentation Preventive
    Review the Statement on the Level of Compliance. CC ID 12500 Business Processes Detective
    Approve the Statement on the Level of Compliance. CC ID 12501 Business Processes Preventive
    Include a Statement on the Level of Compliance in the tactical Information Technology plan. CC ID 06842 Actionable Reports or Measurements Preventive
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Process or Activity Preventive
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Establish/Maintain Documentation Preventive
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 Audits and Risk Management Preventive
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Business Processes Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and Risk Management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and Risk Management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Establish/Maintain Documentation Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Establish/Maintain Documentation Preventive
    Establish and maintain organizational audit reports. CC ID 06731
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)
    The organization shall: retain documented information as evidence of the audit programme(s) and the audit results. § 9.2 ¶ 2 g)]
    Establish/Maintain Documentation Preventive
    Write the audit report using clear and conspicuous language. CC ID 13948 Establish/Maintain Documentation Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Establish/Maintain Documentation Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Establish/Maintain Documentation Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Establish/Maintain Documentation Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Establish/Maintain Documentation Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Establish/Maintain Documentation Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Establish/Maintain Documentation Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Establish/Maintain Documentation Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Actionable Reports or Measurements Preventive
    Include the date of the audit in the audit report. CC ID 07024 Actionable Reports or Measurements Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Actionable Reports or Measurements Preventive
    Include any discussions of significant findings in the audit report. CC ID 13955 Establish/Maintain Documentation Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Establish/Maintain Documentation Preventive
    Include the audit criteria in the audit report. CC ID 13945 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Establish/Maintain Documentation Preventive
    Include all hypothetical assumptions in the audit report. CC ID 13947 Establish/Maintain Documentation Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Actionable Reports or Measurements Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Establish/Maintain Documentation Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Establish/Maintain Documentation Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Establish/Maintain Documentation Preventive
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Establish/Maintain Documentation Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Establish/Maintain Documentation Preventive
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Establish/Maintain Documentation Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Establish/Maintain Documentation Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Establish/Maintain Documentation Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Establish/Maintain Documentation Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Establish/Maintain Documentation Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Establish/Maintain Documentation Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Establish/Maintain Documentation Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Establish/Maintain Documentation Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Establish/Maintain Documentation Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Establish/Maintain Documentation Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Establish/Maintain Documentation Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Establish/Maintain Documentation Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Actionable Reports or Measurements Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Establish/Maintain Documentation Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Establish/Maintain Documentation Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Establish/Maintain Documentation Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Establish/Maintain Documentation Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Establish/Maintain Documentation Preventive
    Include the organization's description of the in scope system in the audit report. CC ID 11626 Audits and Risk Management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Establish/Maintain Documentation Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and Risk Management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and Risk Management Detective
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Establish/Maintain Documentation Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and Risk Management Detective
    Review past audit reports. CC ID 01155
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)]
    Establish/Maintain Documentation Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Establish/Maintain Documentation Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Establish/Maintain Documentation Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Behavior Preventive
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Establish/Maintain Documentation Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Establish/Maintain Documentation Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Establish/Maintain Documentation Preventive
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Process or Activity Detective
    Include an audit opinion in the audit report. CC ID 07017 Establish/Maintain Documentation Preventive
    Include qualified opinions in the audit report. CC ID 13928 Establish/Maintain Documentation Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Establish/Maintain Documentation Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Establish/Maintain Documentation Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Establish/Maintain Documentation Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Business Processes Corrective
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001
    [The organization shall: retain documented information as evidence of the audit programme(s) and the audit results. § 9.2 ¶ 2 g)]
    Actionable Reports or Measurements Preventive
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and Risk Management Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Establish/Maintain Documentation Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Establish/Maintain Documentation Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Establish/Maintain Documentation Preventive
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Records Management Preventive
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Establish/Maintain Documentation Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Establish/Maintain Documentation Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Establish/Maintain Documentation Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Establish/Maintain Documentation Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Establish/Maintain Documentation Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Establish/Maintain Documentation Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Establish/Maintain Documentation Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Establish/Maintain Documentation Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Establish/Maintain Documentation Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Establish/Maintain Documentation Corrective
    Disclose any audit irregularities in the audit report. CC ID 06995 Actionable Reports or Measurements Preventive
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Establish/Maintain Documentation Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Log Management Detective
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Behavior Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Establish/Maintain Documentation Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Business Processes Preventive
    Submit an audit report that is complete. CC ID 01145 Testing Detective
    Accept the audit report. CC ID 07025 Establish/Maintain Documentation Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777 Establish/Maintain Documentation Corrective
    Assign responsibility for remediation actions. CC ID 13622 Human Resources Management Preventive
    Review management's response to issues raised in past audit reports. CC ID 01149
    [The management review shall include consideration of: the status of actions from previous management reviews; § 9.3 ¶ 2 a)]
    Audits and Risk Management Detective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Establish/Maintain Documentation Preventive
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 Testing Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and Risk Management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and Risk Management Preventive
    Establish, implement, and maintain the audit plan. CC ID 01156 Testing Detective
    Establish and maintain the audit schedule for the audit program. CC ID 13158
    [The organization shall: plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; § 9.2 ¶ 2 c)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a risk management program. CC ID 12051 Establish/Maintain Documentation Preventive
    Establish and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [The organization shall define and apply an information security risk assessment process that: § 6.1.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Address past security incidents in the risk assessment program. CC ID 12743 Audits and Risk Management Preventive
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Establish/Maintain Documentation Preventive
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Establish/Maintain Documentation Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230 Audits and Risk Management Preventive
    Establish and maintain a financial plan to support the risk management strategy. CC ID 12786 Establish/Maintain Documentation Preventive
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Business Processes Preventive
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Business Processes Preventive
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 Business Processes Preventive
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Establish/Maintain Documentation Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Establish/Maintain Documentation Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Establish/Maintain Documentation Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Establish/Maintain Documentation Preventive
    Include the description and purpose of personal data processing in the Data Protection Impact Assessment. CC ID 12673 Establish/Maintain Documentation Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Establish/Maintain Documentation Preventive
    Include security measures for protecting personal data in the Data Protection Impact Assessment. CC ID 12635 Establish/Maintain Documentation Preventive
    Review and update the data protection impact assessment, as necessary. CC ID 12665 Audits and Risk Management Preventive
    Use the risk taxonomy when managing risk. CC ID 12280 Behavior Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Establish/Maintain Documentation Preventive
    Review and update the risk assessment policy, as necessary. CC ID 14122 Establish/Maintain Documentation Corrective
    Include compliance requirements in the risk assessment policy. CC ID 14121 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Establish/Maintain Documentation Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Establish/Maintain Documentation Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Establish/Maintain Documentation Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Communicate Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Establish/Maintain Documentation Preventive
    Analyze the organization's information security environment. CC ID 13122 Technical Security Preventive
    Document cybersecurity risks. CC ID 12281 Establish/Maintain Documentation Preventive
    Engage third parties to assist with risk assessments, as necessary. CC ID 12153 Human Resources Management Preventive
    Establish and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and Risk Management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Establish/Maintain Documentation Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Establish/Maintain Documentation Preventive
    Document organizational risk criteria. CC ID 12277
    [The organization shall define and apply an information security risk assessment process that establishes and maintains information security risk criteria that include: § 6.1.2 ¶ 1 a)
    The organization shall define and apply an information security risk assessment process that: establishes and maintains information security risk criteria that include: criteria for performing information security risk assessments; § 6.1.2 ¶ 1 a) 2)]
    Establish/Maintain Documentation Preventive
    Include security threats and vulnerabilities to the system in the threat and risk classification scheme. CC ID 00699 Technical Security Preventive
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Investigate Detective
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and Risk Management Preventive
    Include the risks to the organization's critical personnel and assets in the threat and risk classification scheme. CC ID 00698
    [The organization shall define and apply an information security risk assessment process that: identifies the information security risks: § 6.1.2 ¶ 1 c)
    When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: ensure the information security management system can achieve its intended outcome(s); § 6.1.1 ¶ 1 a)
    The organization shall define and apply an information security risk assessment process that: identifies the information security risks: apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and § 6.1.2 ¶ 1 c) 1)]
    Audits and Risk Management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Establish/Maintain Documentation Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173
    [The organization shall define and apply an information security risk assessment process that: analyses the information security risks: assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and § 6.1.2 ¶ 1 d) 2)]
    Audits and Risk Management Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Establish/Maintain Documentation Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Establish/Maintain Documentation Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Establish/Maintain Documentation Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450
    [The organization shall define and apply an information security risk assessment process that: identifies the information security risks: identify the risk owners; § 6.1.2 ¶ 1 c) 2)]
    Establish/Maintain Documentation Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Establish/Maintain Documentation Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and Risk Management Preventive
    Review the risk assessment procedures, as necessary. CC ID 06460 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Communicate Preventive
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 Establish/Maintain Documentation Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). § 8.2 ¶ 1]
    Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Establish/Maintain Documentation Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Establish/Maintain Documentation Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481
    [The management review shall include consideration of: results of risk assessment and status of risk treatment plan; and § 9.3 ¶ 2 e)]
    Establish/Maintain Documentation Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and Risk Management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708
    [When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: achieve continual improvement. § 6.1.1 ¶ 1 c)]
    Establish/Maintain Documentation Detective
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and Risk Management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627
    [The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). § 8.2 ¶ 1]
    Establish/Maintain Documentation Detective
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and Risk Management Preventive
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Establish/Maintain Documentation Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Communicate Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Business Processes Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 Behavior Preventive
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Investigate Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and Risk Management Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: prevent, or reduce, undesired effects; and § 6.1.1 ¶ 1 b)
    The organization shall define and apply an information security risk assessment process that: evaluates the information security risks: § 6.1.2 ¶ 1 e)
    The organization shall define and apply an information security risk assessment process that: analyses the information security risks: assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize; § 6.1.2 ¶ 1 d) 1)
    The organization shall define and apply an information security risk assessment process that: analyses the information security risks: § 6.1.2 ¶ 1 d)]
    Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and Risk Management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and Risk Management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and Risk Management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Investigate Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and Risk Management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467
    [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. A.12.6.1 Control]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Actionable Reports or Measurements Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and Risk Management Detective
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [The organization shall define and apply an information security risk assessment process that establishes and maintains information security risk criteria that include: the risk acceptance criteria; and § 6.1.2 ¶ 1 a) 1)
    The organization shall define and apply an information security risk assessment process that: analyses the information security risks: determine the levels of risk; § 6.1.2 ¶ 1 d) 3)
    The organization shall define and apply an information security risk treatment process to: obtain risk owners' approval of the information security risk treatment plan and acceptance of the residual information security risks. § 6.1.3 ¶ 1 f)]
    Establish/Maintain Documentation Preventive
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Investigate Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483
    [The organization shall define and apply an information security risk treatment process to: select appropriate information security risk treatment options, taking account of the risk assessment results; § 6.1.3 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Behavior Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704
    [The organization shall define and apply an information security risk treatment process to: compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted; § 6.1.3 ¶ 1 c)]
    Establish/Maintain Documentation Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707
    [The organization shall define and apply an information security risk assessment process that: evaluates the information security risks: prioritize the analysed risks for risk treatment. § 6.1.2 ¶ 1 e) 2)
    The organization shall define and apply an information security risk treatment process to: determine all controls that are necessary to implement the information security risk treatment option(s) chosen; § 6.1.3 ¶ 1 b)]
    Audits and Risk Management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Process or Activity Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Process or Activity Detective
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and Risk Management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601 Testing Detective
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and Risk Management Preventive
    Establish and maintain a risk treatment plan. CC ID 11983
    [The organization shall define and apply an information security risk treatment process to: formulate an information security risk treatment plan; and § 6.1.3 ¶ 1 e)
    The organization shall define and apply an information security risk treatment process to: § 6.1.3 ¶ 1
    The organization shall implement the information security risk treatment plan. § 8.3 ¶ 1]
    Establish/Maintain Documentation Preventive
    Identify the planned actions and controls that address high risk. CC ID 12835 Audits and Risk Management Preventive
    Identify the current actions and controls that address high risk. CC ID 12834 Audits and Risk Management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Establish/Maintain Documentation Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Establish/Maintain Documentation Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Establish/Maintain Documentation Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Establish/Maintain Documentation Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Establish/Maintain Documentation Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Establish/Maintain Documentation Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Establish/Maintain Documentation Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Establish/Maintain Documentation Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Establish/Maintain Documentation Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Establish/Maintain Documentation Preventive
    Approve the risk treatment plan. CC ID 13495
    [The organization shall define and apply an information security risk treatment process to: obtain risk owners' approval of the information security risk treatment plan and acceptance of the residual information security risks. § 6.1.3 ¶ 1 f)]
    Audits and Risk Management Preventive
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457
    [The organization shall plan how to integrate and implement the actions into its information security management system processes; and § 6.1.1 ¶ 2 e) 1)]
    Establish/Maintain Documentation Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. A.12.6.1 Control
    The organization shall plan: actions to address these risks and opportunities; and § 6.1.1 ¶ 2 d)
    The management review shall include consideration of: results of risk assessment and status of risk treatment plan; and § 9.3 ¶ 2 e)
    The organization shall define and apply an information security risk treatment process to: produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A; § 6.1.3 ¶ 1 d)]
    Establish/Maintain Documentation Corrective
    Review and approve the risk assessment findings. CC ID 06485 Establish/Maintain Documentation Preventive
  • Harmonization Methods and Manual of Style
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Harmonization Methods and Manual of Style CC ID 06095 IT Impact Zone IT Impact Zone
    Organize all compliance documents. CC ID 06096
    [When creating and updating documented information the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and § 7.5.2 ¶ 1 b)
    When creating and updating documented information the organization shall ensure appropriate: format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and § 7.5.2 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Organize all compliance documents to fit the message. CC ID 06097 Establish/Maintain Documentation Preventive
    Identify the target audience for compliance documents. CC ID 06108 Establish/Maintain Documentation Preventive
    Define the structure for compliance documents and governance documents. CC ID 06111
    [When creating and updating documented information the organization shall ensure appropriate: identification and description (e.g. a title, date, author, or reference number); § 7.5.2 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Subordinate the structure of the compliance document to fit the topic. CC ID 06109 Establish/Maintain Documentation Preventive
    Define visual and formatting styles for all structured headings. CC ID 06110 Establish/Maintain Documentation Preventive
    Define the section heading style, if section headings are being used. CC ID 06112 Establish/Maintain Documentation Preventive
    Use a table of contents to show sections and headings, if section headings are being used. CC ID 06113 Establish/Maintain Documentation Preventive
    Place the table of contents at the document's beginning. CC ID 06114 Establish/Maintain Documentation Preventive
    Add term definitions to the document's end. CC ID 06115 Establish/Maintain Documentation Preventive
  • Human Resources management
    148
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish and maintain high level operational roles and responsibilities. CC ID 00806 Establish Roles Preventive
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112
    [Top management shall assign the responsibility and authority for: reporting on the performance of the information security management system to top management. § 5.3 ¶ 2 b)]
    Human Resources Management Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources Management Preventive
    Identify and define all key Information Technology roles. CC ID 00777
    [The organization shall determine: who shall monitor and measure; § 9.1 ¶ 2 d)]
    Establish Roles Preventive
    Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 Establish Roles Preventive
    Assign responsibility for cyber threat intelligence. CC ID 12746 Human Resources Management Preventive
    Assign the role of security management to applicable controls. CC ID 06444 Establish Roles Preventive
    Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 Human Resources Management Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607 Human Resources Management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 Human Resources Management Preventive
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Communicate Preventive
    Define and assign the data controller's roles and responsibilities. CC ID 00471 Establish Roles Preventive
    Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 Human Resources Management Preventive
    Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 Human Resources Management Preventive
    Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 Human Resources Management Preventive
    Assign the role of data controller to applicable controls. CC ID 00354 Establish Roles Preventive
    Assign the role of data controller to provide advice, when requested. CC ID 12611 Human Resources Management Preventive
    Assign the role of data controller to additional personnel, as necessary. CC ID 00473 Establish Roles Preventive
    Assign the role of Information Technology operations to applicable controls. CC ID 00682 Establish Roles Preventive
    Assign the role of logical access control to applicable controls. CC ID 00772 Establish Roles Preventive
    Assign the role of asset physical security to applicable controls. CC ID 00770 Establish Roles Preventive
    Assign the role of data custodian to applicable controls. CC ID 04789 Establish Roles Preventive
    Assign the role of the Quality Management committee to applicable controls. CC ID 00769 Establish Roles Preventive
    Assign interested personnel to the Quality Management committee. CC ID 07193 Establish Roles Preventive
    Assign the roles and responsibilities for the Information Technology asset management system. CC ID 14368 Establish/Maintain Documentation Preventive
    Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 Establish Roles Preventive
    Assign the role of fire protection management to applicable controls. CC ID 04891 Establish Roles Preventive
    Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 Establish Roles Preventive
    Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 Establish Roles Preventive
    Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 Establish Roles Preventive
    Establish and maintain a personnel management program. CC ID 14018 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [The organization shall: ensure that these persons are competent on the basis of appropriate education, training, or experience; § 7.2 ¶ 1 b)]
    Testing Detective
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources Management Detective
    Assign security clearance procedures to qualified personnel. CC ID 06812 Establish Roles Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Establish Roles Preventive
    Establish and maintain personnel screening procedures. CC ID 11700 Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758
    [Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. A.7.1.1 Control
    Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. A.7.1.1 Control]
    Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources Management Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources Management Preventive
    Document the personnel risk assessment results. CC ID 11764 Establish/Maintain Documentation Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Establish/Maintain Documentation Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources Management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources Management Preventive
    Update security clearances, as necessary. CC ID 01634 Human Resources Management Preventive
    Document the security clearance procedure results. CC ID 01635 Establish/Maintain Documentation Detective
    Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549
    [Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. A.7.3.1 Control]
    Establish/Maintain Documentation Preventive
    Assign an owner of the personnel status change and termination procedures. CC ID 11805 Human Resources Management Preventive
    Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 Human Resources Management Preventive
    Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 Behavior Preventive
    Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630
    [Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. A.7.3.1 Control]
    Communicate Preventive
    Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992
    [Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. A.7.3.1 Control]
    Human Resources Management Preventive
    Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 Human Resources Management Corrective
    Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 Behavior Preventive
    Conduct exit interviews upon termination of employment. CC ID 14290 Human Resources Management Preventive
    Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 Establish/Maintain Documentation Preventive
    Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 Human Resources Management Detective
    Train all personnel and third parties, as necessary. CC ID 00785
    [{security awareness, training, and education} All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. A.7.2.2 Control
    {security awareness, training, and education} All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. A.7.2.2 Control
    The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and § 7.2 ¶ 1 c)]
    Behavior Preventive
    Establish and maintain an education methodology. CC ID 06671 Business Processes Preventive
    Support certification programs as viable training programs. CC ID 13268 Human Resources Management Preventive
    Retrain all personnel, as necessary. CC ID 01362
    [{security awareness, training, and education} All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. A.7.2.2 Control
    {security awareness, training, and education} All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. A.7.2.2 Control]
    Behavior Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Behavior Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674 Behavior Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Behavior Preventive
    Document all training in a training record. CC ID 01423
    [The organization shall: retain appropriate documented information as evidence of competence. § 7.2 ¶ 1 d)]
    Establish/Maintain Documentation Detective
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Behavior Preventive
    Conduct tests and evaluate training. CC ID 06672
    [The organization shall: where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and § 7.2 ¶ 1 c)]
    Testing Detective
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources Management Preventive
    Review the current published guidance and awareness and training programs. CC ID 01245 Establish/Maintain Documentation Preventive
    Establish and implement training plans. CC ID 00828 Establish/Maintain Documentation Preventive
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Training Detective
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Training Preventive
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Training Preventive
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Training Detective
    Develop or acquire content to update the training plans. CC ID 12867 Training Preventive
    Include portions of the visitor control program in the training plan. CC ID 13287 Establish/Maintain Documentation Preventive
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources Management Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Training Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources Management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Training Preventive
    Include risk management in the training plan, as necessary. CC ID 13040 Training Preventive
    Conduct Archives and Records Management training. CC ID 00975 Behavior Preventive
    Conduct personal data processing training. CC ID 13757 Training Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Training Preventive
    Include the cloud service usage standard in the training plan. CC ID 13039 Training Preventive
    Establish and maintain a security awareness program. CC ID 11746 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Establish/Maintain Documentation Preventive
    Review and update the security awareness and training procedures, as necessary. CC ID 14140 Establish/Maintain Documentation Corrective
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Communicate Preventive
    Review and update the security awareness and training policy, as necessary. CC ID 14050 Establish/Maintain Documentation Corrective
    Include management commitment in the security awareness and training policy. CC ID 14049 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Establish/Maintain Documentation Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Establish/Maintain Documentation Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Establish/Maintain Documentation Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Establish/Maintain Documentation Preventive
    Document security awareness requirements. CC ID 12146 Establish/Maintain Documentation Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Establish/Maintain Documentation Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Establish/Maintain Documentation Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Establish/Maintain Documentation Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Training Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Training Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Establish/Maintain Documentation Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Establish/Maintain Documentation Preventive
    Include remote access in the security awareness program. CC ID 13892 Establish/Maintain Documentation Preventive
    Document the goals of the security awareness program. CC ID 12145 Establish/Maintain Documentation Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Establish/Maintain Documentation Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources Management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources Management Preventive
    Document the scope of the security awareness program. CC ID 12148 Establish/Maintain Documentation Preventive
    Establish and maintain a security awareness baseline. CC ID 12147 Establish/Maintain Documentation Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources Management Preventive
    Disseminate and communicate security awareness and the internal control framework to all interested personnel and affected parties. CC ID 00823
    [Persons doing work under the organization's control shall be aware of: their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and § 7.3 ¶ 1 b)]
    Behavior Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211
    [Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services. A.16.1.3 Control]
    Behavior Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Training Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363
    [Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. A.7.2.1 Control
    Persons doing work under the organization's control shall be aware of: the implications of not conforming with the information security management system requirements. § 7.3 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Monitor and Evaluate Occurrences Detective
    Conduct secure coding and development training for developers. CC ID 06822 Behavior Corrective
    Conduct tampering prevention training. CC ID 11875 Training Preventive
    Include the mandate to refrain from installing, refrain from replacing, refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Training Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Training Preventive
    Include how to report tampering in the tampering prevention training. CC ID 11879 Training Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Training Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Training Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Training Preventive
    Update training plans, as necessary. CC ID 12868 Training Preventive
    Conduct crime prevention training. CC ID 06350 Behavior Preventive
    Analyze and evaluate training records to improve the training program. CC ID 06380 Monitor and Evaluate Occurrences Detective
    Establish and maintain a Code of Conduct as a part of the Terms and Conditions of employment. CC ID 04897 Establish/Maintain Documentation Preventive
    Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029
    [The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security. A.7.1.2 Control]
    Human Resources Management Preventive
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [{implement} There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. A.7.2.3 Control]
    Behavior Corrective
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 Communicate Preventive
    Conduct staff performance reviews, as necessary. CC ID 07205
    [The organization shall: determine the necessary competence of person(s) doing work under its control that affects its information security performance; § 7.2 ¶ 1 a)]
    Business Processes Detective
    Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 Technical Security Preventive
    Analyze the documentation produced by staff during the performance review. CC ID 07207 Establish/Maintain Documentation Detective
  • Leadership and high level objectives
    260
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring that the information security management system achieves its intended outcome(s); § 5.1 ¶ 1 e)
    When planning how to achieve its information security objectives, the organization shall determine: how the results will be evaluated. § 6.2 ¶ 4 j)]
    Monitor and Evaluate Occurrences Preventive
    Develop instructions for setting organizational objectives and strategies. CC ID 12931 Establish/Maintain Documentation Preventive
    Analyze the business environment in which the organization operates. CC ID 12798 Business Processes Preventive
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Process or Activity Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Process or Activity Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Process or Activity Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942 Process or Activity Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Process or Activity Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Process or Activity Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Process or Activity Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Process or Activity Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Process or Activity Preventive
    Align assets with business functions and the business environment. CC ID 13681 Business Processes Preventive
    Disseminate and communicate the organization's business environment and place in its industry sector, as necessary. CC ID 13200 Communicate Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Monitor and Evaluate Occurrences Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Monitor and Evaluate Occurrences Preventive
    Analyze the external environment in which the organization operates. CC ID 12799 Business Processes Preventive
    Identify the external forces that may affect organizational objectives. CC ID 12960 Process or Activity Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Monitor and Evaluate Occurrences Preventive
    Include environmental requirements in the analysis of the external environment. CC ID 12965 Business Processes Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 Monitor and Evaluate Occurrences Preventive
    Include regulatory requirements in the analysis of the external environment. CC ID 12964 Business Processes Preventive
    Include society in the analysis of the external environment. CC ID 12963 Business Processes Preventive
    Include opportunities in the analysis of the external environment. CC ID 12954 Business Processes Preventive
    Include third party relationships in the analysis of the external environment. CC ID 12952 Business Processes Preventive
    Include industry forces in the analysis of the external environment. CC ID 12904 Business Processes Preventive
    Include threats in the analysis of the external environment. CC ID 12898 Business Processes Preventive
    Include geopolitics in the analysis of the external environment. CC ID 12897 Business Processes Preventive
    Include legal requirements in the analysis of the external environment. CC ID 12896 Business Processes Preventive
    Include technology in the analysis of the external environment. CC ID 12837 Business Processes Preventive
    Include analyzing the market in the analysis of the external environment. CC ID 12836 Business Processes Preventive
    Conduct a context analysis to define objectives and strategies. CC ID 12864 Business Processes Preventive
    Document organizational objectives. CC ID 09959
    [The organization shall establish information security objectives at relevant functions and levels. § 6.2 ¶ 1
    The information security objectives shall: be consistent with the information security policy; § 6.2 ¶ 2 a)
    When planning how to achieve its information security objectives, the organization shall determine: when it will be completed; and § 6.2 ¶ 4 i)
    {risk assessment result} {information security risk treatment result} The information security objectives shall: take into account applicable information security requirements, and results from risk assessment and risk treatment; § 6.2 ¶ 2 c)
    {risk assessment result} {information security risk treatment result} The information security objectives shall: take into account applicable information security requirements, and results from risk assessment and risk treatment; § 6.2 ¶ 2 c)
    {risk assessment result} {information security risk treatment result} The information security objectives shall: take into account applicable information security requirements, and results from risk assessment and risk treatment; § 6.2 ¶ 2 c)
    Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Process or Activity Preventive
    Identify events that may affect organizational objectives. CC ID 12961 Process or Activity Preventive
    Identify conditions that may affect organizational objectives. CC ID 12958 Process or Activity Preventive
    Identify requirements that could affect achieving organizational objectives. CC ID 12828 Business Processes Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Business Processes Preventive
    Prioritize organizational objectives. CC ID 09960
    [When planning how to achieve its information security objectives, the organization shall determine: what will be done; § 6.2 ¶ 4 f)]
    Business Processes Preventive
    Review and update organizational objectives, as necessary. CC ID 13494
    [The information security objectives shall: be updated as appropriate. § 6.2 ¶ 2 e)]
    Establish/Maintain Documentation Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Business Processes Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Establish/Maintain Documentation Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Establish/Maintain Documentation Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Establish/Maintain Documentation Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Establish/Maintain Documentation Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Establish/Maintain Documentation Preventive
    Disseminate and communicate organizational objectives to all interested personnel and affected parties. CC ID 13191
    [The information security objectives shall: be communicated; and § 6.2 ¶ 2 d)]
    Communicate Preventive
    Document and communicate the linkage between organizational objectives, functions, activities and general controls. CC ID 12398 Establish/Maintain Documentation Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Business Processes Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Process or Activity Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805 Process or Activity Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005
    [The organization’s approach to managing information security and Independent review of its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur. A.18.2.1 Control
    The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. § 8.1 ¶ 1]
    Business Processes Preventive
    Identify all interested personnel and affected parties. CC ID 12845
    [The organization shall determine: {relevant interested parties} interested parties that are relevant to the information security management system; and § 4.2 ¶ 1 a)]
    Process or Activity Detective
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [The organization shall determine: the requirements of these interested parties relevant to information security. § 4.2 ¶ 1 b)]
    Business Processes Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Establish/Maintain Documentation Preventive
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Data and Information Management Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Data and Information Management Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Data and Information Management Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Data and Information Management Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997
    [Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. A.8.2.1 Control]
    Data and Information Management Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Data and Information Management Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996
    [Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. A.8.2.1 Control]
    Data and Information Management Preventive
    Classify the value of information in the information classification standard. CC ID 11995
    [Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. A.8.2.1 Control]
    Data and Information Management Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994
    [Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. A.8.2.1 Control]
    Data and Information Management Preventive
    Establish and maintain a data classification scheme. CC ID 11628 Establish/Maintain Documentation Preventive
    Review and approve the data classification scheme. CC ID 13858 Establish/Maintain Documentation Detective
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Establish/Maintain Documentation Preventive
    Refrain from including metadata in the data dictionary. CC ID 13529 Establish/Maintain Documentation Preventive
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Establish/Maintain Documentation Preventive
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Establish/Maintain Documentation Preventive
    Ensure the data dictionary is complete and accurate. CC ID 13527 Investigate Detective
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Establish/Maintain Documentation Preventive
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Establish/Maintain Documentation Preventive
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Establish/Maintain Documentation Preventive
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Establish/Maintain Documentation Preventive
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Establish/Maintain Documentation Preventive
    Include the precision of the measurement in the data dictionary. CC ID 13520 Establish/Maintain Documentation Preventive
    Include the data source in the data dictionary. CC ID 13519 Establish/Maintain Documentation Preventive
    Include the nature of each element in the data dictionary. CC ID 13518 Establish/Maintain Documentation Preventive
    Include the population of events or instances in the data dictionary. CC ID 13517 Establish/Maintain Documentation Preventive
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Communicate Preventive
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Establish/Maintain Documentation Preventive
    Establish and maintain sustainable infrastructure planning. CC ID 00603 Establish/Maintain Documentation Preventive
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Behavior Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604 Monitor and Evaluate Occurrences Detective
    Monitor for new Information Security solutions. CC ID 07078 Monitor and Evaluate Occurrences Detective
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Technical Security Detective
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Communicate Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Communicate Corrective
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Establish/Maintain Documentation Preventive
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Establish/Maintain Documentation Preventive
    Establish and maintain a Quality Management policy. CC ID 13694 Establish/Maintain Documentation Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Establish/Maintain Documentation Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Establish/Maintain Documentation Preventive
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Communicate Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders, as necessary. CC ID 13680 Communicate Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Establish/Maintain Documentation Preventive
    Establish and maintain an overall Quality Management standard. CC ID 01006 Establish/Maintain Documentation Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Establish/Maintain Documentation Preventive
    Implement the Quality Management program. CC ID 13696 Business Processes Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501 Business Processes Corrective
    Enforce a continuous Quality Control system. CC ID 01005 Business Processes Detective
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Testing Detective
    Establish and maintain a Quality Management program. CC ID 07201 Establish/Maintain Documentation Preventive
    Include quality objectives in the Quality Management program. CC ID 13693 Establish/Maintain Documentation Preventive
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Systems Design, Build, and Implementation Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 Establish/Maintain Documentation Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Establish/Maintain Documentation Preventive
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Business Processes Detective
    Include program testing standards in the Quality Management program. CC ID 01017 Establish/Maintain Documentation Preventive
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Business Processes Detective
    Include system testing standards in the Quality Management program. CC ID 01018 Establish/Maintain Documentation Preventive
    Include a bug tracking system in the Quality Management program. CC ID 06824 Systems Design, Build, and Implementation Preventive
    Review the Quality Management framework, as necessary. CC ID 07198 Establish/Maintain Documentation Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241
    [{information security management system} The scope shall be available as documented information. § 4.3 ¶ 3
    The organization shall determine the boundaries and applicability of the information security management system to establish its scope. § 4.3 ¶ 1
    When determining this scope, the organization shall consider: the external and internal issues referred to in 4.1; § 4.3 ¶ 2 a)
    When determining this scope, the organization shall consider: the requirements referred to in 4.2; and § 4.3 ¶ 2 b)
    When determining this scope, the organization shall consider: interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. § 4.3 ¶ 2 c)]
    Establish/Maintain Documentation Preventive
    Define the scope of the security policy. CC ID 07145 Data and Information Management Preventive
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688
    [Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. A.8.1.1 Control
    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. A.18.1.1 Control
    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. A.18.1.1 Control
    The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. § 4.1 ¶ 1]
    Business Processes Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Establish/Maintain Documentation Preventive
    Correlate Information Systems with applicable controls. CC ID 01621 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285
    [The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. § 8.1 ¶ 1
    Documented information required by the information security management system and by this International Standard shall be controlled to ensure: § 7.5.3 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include the effective date on all organizational policies. CC ID 06820 Establish/Maintain Documentation Preventive
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956
    [{integrate} Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring the integration of the information security management system requirements into the organization's processes; § 5.1 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Establish/Maintain Documentation Detective
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Establish/Maintain Documentation Preventive
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Establish/Maintain Documentation Preventive
    Establish and maintain a list of compliance documents. CC ID 07113
    [All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. A.18.1.1 Control
    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. A.18.1.1 Control]
    Establish/Maintain Documentation Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Establish/Maintain Documentation Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 c)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901
    [Documented information required by the information security management system and by this International Standard shall be controlled to ensure: it is available and suitable for use, where and when it is needed; and § 7.5.3 ¶ 1 a)]
    Communicate Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Establish/Maintain Documentation Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Establish/Maintain Documentation Preventive
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Establish/Maintain Documentation Preventive
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Establish/Maintain Documentation Preventive
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Establish/Maintain Documentation Preventive
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Establish/Maintain Documentation Detective
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Establish Roles Preventive
    Approve all compliance documents. CC ID 06286 Establish/Maintain Documentation Preventive
    Align the list of compliance documents with external requirements. CC ID 06288 Establish/Maintain Documentation Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Establish Roles Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Establish/Maintain Documentation Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Establish/Maintain Documentation Preventive
    Document compliance exceptions, as necessary. CC ID 01630 Establish/Maintain Documentation Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Establish/Maintain Documentation Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Business Processes Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Establish/Maintain Documentation Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Establish Roles Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Establish/Maintain Documentation Preventive
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Behavior Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Behavior Preventive
    Estimate the costs of implementing the compliance framework. CC ID 07191 Business Processes Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Establish Roles Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765 Establish Roles Detective
    Address Information Security during the business planning processes. CC ID 06495
    [Information security shall be addressed in project management, regardless of the type of the project. A.6.1.5 Control
    Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1 a)]
    Data and Information Management Preventive
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Establish/Maintain Documentation Preventive
    Establish and maintain a strategic plan. CC ID 12784
    [Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Determine progress toward the objectives of the strategic plan. CC ID 12944 Process or Activity Preventive
    Include acting with integrity in the strategic plan. CC ID 12870 Establish/Maintain Documentation Preventive
    Include the outsource partners in the strategic plan, as necessary. CC ID 13960 Establish/Maintain Documentation Preventive
    Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security planning policy. CC ID 14027 Establish/Maintain Documentation Preventive
    Review and update the security planning policy, as necessary. CC ID 14132 Establish/Maintain Documentation Corrective
    Include compliance requirements in the security planning policy. CC ID 14131 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security planning policy. CC ID 14130 Establish/Maintain Documentation Preventive
    Include management commitment in the security planning policy. CC ID 14129 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security planning policy. CC ID 14128 Establish/Maintain Documentation Preventive
    Include the scope in the security planning policy. CC ID 14127 Establish/Maintain Documentation Preventive
    Include the purpose in the security planning policy. CC ID 14126 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 Communicate Preventive
    Establish, implement, and maintain security planning procedures. CC ID 14060 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 Communicate Preventive
    Review and update the security planning procedures. CC ID 14133 Establish/Maintain Documentation Corrective
    Establish and maintain a decision management strategy. CC ID 06913 Establish/Maintain Documentation Preventive
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Establish/Maintain Documentation Preventive
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Establish/Maintain Documentation Preventive
    Include criteria for compliance in the decision making criteria. CC ID 12951 Establish/Maintain Documentation Preventive
    Include criteria for risk tolerance in the decision making criteria. CC ID 12950 Establish/Maintain Documentation Preventive
    Include criteria for selecting objectives and strategies in the decision making criteria. CC ID 12949 Establish/Maintain Documentation Preventive
    Include criteria for setting priorities in the decision making criteria. CC ID 12938 Establish/Maintain Documentation Preventive
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 Process or Activity Preventive
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 Process or Activity Preventive
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 Process or Activity Preventive
    Identify and document the events that initiate the decision management strategy. CC ID 06914 Establish/Maintain Documentation Detective
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 Process or Activity Preventive
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 Behavior Preventive
    Take actions in accordance with the decision-making criteria. CC ID 12909 Process or Activity Preventive
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 Establish/Maintain Documentation Preventive
    Communicate the decision management strategy to all interested personnel and affected parties, as necessary. CC ID 13991 Communicate Preventive
    Establish, implement, and maintain an information technology process framework. CC ID 13648 Establish/Maintain Documentation Preventive
    Include maturity models in the Information Technology process framework. CC ID 13652 Establish/Maintain Documentation Preventive
    Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 Establish/Maintain Documentation Preventive
    Include Information Technology process structures in the Information Technology process framework. CC ID 13650 Establish/Maintain Documentation Preventive
    Establish and maintain a tactical plan. CC ID 12785 Establish/Maintain Documentation Preventive
    Include acting with integrity in the tactical plan. CC ID 12871 Establish/Maintain Documentation Preventive
    Establish and maintain a high-level Strategic Information Technology Plan. CC ID 00628 Establish/Maintain Documentation Preventive
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Establish/Maintain Documentation Preventive
    Align business continuity objectives with the business continuity policy. CC ID 12408 Establish/Maintain Documentation Preventive
    Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 Business Processes Corrective
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 Business Processes Preventive
    Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 Establish/Maintain Documentation Preventive
    Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 Establish/Maintain Documentation Preventive
    Establish and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 Establish/Maintain Documentation Preventive
    Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 Establish/Maintain Documentation Preventive
    Document the business case and return on investment in each Information Technology project plan. CC ID 06846 Establish/Maintain Documentation Preventive
    Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 Business Processes Preventive
    Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 Establish/Maintain Documentation Preventive
    Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 Establish/Maintain Documentation Preventive
    Assign senior management to approve business cases. CC ID 13068 Human Resources Management Preventive
    Include milestones for each project phase in the Information Technology project plan. CC ID 12621 Establish/Maintain Documentation Preventive
    Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 Establish/Maintain Documentation Corrective
    Establish and maintain a counterterror protective security plan. CC ID 06862 Establish/Maintain Documentation Preventive
    Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 Establish/Maintain Documentation Preventive
    Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 Establish/Maintain Documentation Preventive
    Include a search plan in the counterterror protective security plan. CC ID 06865 Establish/Maintain Documentation Preventive
    Include an evacuation plan in the counterterror protective security plan. CC ID 06940 Establish/Maintain Documentation Preventive
    Include a continuity plan in the counterterror protective security plan. CC ID 07031 Establish/Maintain Documentation Preventive
    Establish and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 Establish/Maintain Documentation Preventive
    Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 Monitor and Evaluate Occurrences Detective
    Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans CC ID 06839 Actionable Reports or Measurements Preventive
    Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 Actionable Reports or Measurements Preventive
    Include significant security risks in the Information Technology Plan status reports. CC ID 06939 Actionable Reports or Measurements Preventive
    Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 Establish/Maintain Documentation Preventive
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 Establish/Maintain Documentation Preventive
    Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 Human Resources Management Preventive
    Include the transparency goals in the Information Governance Plan. CC ID 10056 Establish/Maintain Documentation Preventive
    Include the information integrity goals in the Information Governance Plan. CC ID 10057 Establish/Maintain Documentation Preventive
    Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors CC ID 13094 Human Resources Management Preventive
    Establish and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 Business Processes Preventive
    Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493
    [Top management shall demonstrate leadership and commitment with respect to the information security management system by: supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. § 5.1 ¶ 1 h)]
    Behavior Preventive
    Establish and maintain communication protocols. CC ID 12245
    [{internal communications} The organization shall determine the need for internal and external communications relevant to the information security management system including: § 7.4 ¶ 1
    {internal communications} The organization shall determine the need for internal and external communications relevant to the information security management system including: § 7.4 ¶ 1
    {internal communications} The organization shall determine the need for internal and external communications relevant to the information security management system including: on what to communicate; § 7.4 ¶ 1 a)
    {internal communications} The organization shall determine the need for internal and external communications relevant to the information security management system including: on what to communicate; § 7.4 ¶ 1 a)
    {internal communications} The organization shall determine the need for internal and external communications relevant to the information security management system including: with whom to communicate; § 7.4 ¶ 1 c)
    {internal communications} The organization shall determine the need for internal and external communications relevant to the information security management system including: with whom to communicate; § 7.4 ¶ 1 c)
    {internal communications} The organization shall determine the need for internal and external communications relevant to the information security management system including: who shall communicate; and § 7.4 ¶ 1 d)
    {internal communications} The organization shall determine the need for internal and external communications relevant to the information security management system including: who shall communicate; and § 7.4 ¶ 1 d)
    {internal communications The organization shall determine the need for internal and external communications relevant to the information security management system including: when to communicate; § 7.4 ¶ 1 b)
    {internal communications The organization shall determine the need for internal and external communications relevant to the information security management system including: when to communicate; § 7.4 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 Establish/Maintain Documentation Preventive
    Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 Process or Activity Detective
    Include external requirements in the organization's communication protocol. CC ID 12418 Establish/Maintain Documentation Preventive
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Communicate Preventive
    Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 Establish/Maintain Documentation Preventive
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Communicate Preventive
    Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 Process or Activity Preventive
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Communicate Preventive
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Communicate Preventive
    Route notifications, as necessary. CC ID 12832 Process or Activity Preventive
    Substantiate notifications, as necessary. CC ID 12831 Process or Activity Preventive
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 Business Processes Preventive
    Prioritize notifications, as necessary. CC ID 12830 Process or Activity Preventive
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 Actionable Reports or Measurements Preventive
    Disseminate and communicate internal controls with supply chain members, as necessary. CC ID 12416 Communicate Preventive
    Establish and maintain the organization's survey method. CC ID 12869 Process or Activity Preventive
    Provide a consolidated view of information in the organization's survey method. CC ID 12894 Process or Activity Preventive
    Establish and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 Establish/Maintain Documentation Preventive
    Establish and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 Establish/Maintain Documentation Preventive
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Monitor and Evaluate Occurrences Preventive
  • Monitoring and measurement
    313
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637
    [Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. A.12.4.1 Control]
    Log Management Detective
    Establish, implement, and maintain an audit and accountability policy. CC ID 14035 Establish/Maintain Documentation Preventive
    Include compliance requirements in the audit and accountability policy. CC ID 14103 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the audit and accountability policy. CC ID 14102 Establish/Maintain Documentation Preventive
    Include the purpose in the audit and accountability policy. CC ID 14100 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the audit and accountability policy. CC ID 14098 Establish/Maintain Documentation Preventive
    Include management commitment in the audit and accountability policy. CC ID 14097 Establish/Maintain Documentation Preventive
    Include the scope in the audit and accountability policy. CC ID 14096 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 Communicate Preventive
    Review and update the audit and accountability policy, as necessary. CC ID 14094 Establish/Maintain Documentation Corrective
    Establish, implement, and maintain audit and accountability procedures. CC ID 14057 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 Communicate Preventive
    Review and update the audit and accountability procedures, as necessary. CC ID 14124 Establish/Maintain Documentation Corrective
    Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312
    [Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. A.12.4.1 Control]
    Log Management Preventive
    Review and approve the use of continuous security management systems. CC ID 13181 Process or Activity Preventive
    Protect continuous security management systems from unauthorized use. CC ID 13097 Configuration Preventive
    Establish and maintain intrusion management operations. CC ID 00580 Monitor and Evaluate Occurrences Preventive
    Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 Configuration Preventive
    Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 Behavior Preventive
    Do not intercept communications of any kind when providing a service to clients. CC ID 09985 Behavior Preventive
    Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 Technical Security Detective
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitor and Evaluate Occurrences Detective
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225 Monitor and Evaluate Occurrences Detective
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitor and Evaluate Occurrences Preventive
    Address operational anomalies within the problem management system. CC ID 00589 Business Processes Detective
    Address operational anomalies within the incident management system. CC ID 11633 Audits and Risk Management Preventive
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitor and Evaluate Occurrences Detective
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Human Resources Management Detective
    Detect unauthorized access to systems. CC ID 06798 Monitor and Evaluate Occurrences Detective
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitor and Evaluate Occurrences Detective
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Audits and Risk Management Preventive
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitor and Evaluate Occurrences Detective
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitor and Evaluate Occurrences Preventive
    Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 Technical Security Preventive
    Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 Technical Security Preventive
    Implement detonation chambers, where appropriate. CC ID 10670 Technical Security Preventive
    Assign log management roles and responsibilities. CC ID 06311
    [{monitoring and measurement result} The organization shall determine: who shall analyse and evaluate these results. § 9.1 ¶ 2 f)]
    Establish Roles Preventive
    Document and communicate the log locations to the owning entity. CC ID 12047 Log Management Preventive
    Make logs available for review by the owning entity. CC ID 12046 Log Management Preventive
    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 Log Management Detective
    Establish and maintain event logging procedures. CC ID 01335 Log Management Detective
    Document the event information to be logged in the event information log specification. CC ID 00639 Configuration Preventive
    Enable logging for all systems that meet a traceability criteria. CC ID 00640 Log Management Detective
    Enable and configure logging on all network access controls. CC ID 01963 Configuration Preventive
    Analyze firewall logs for the correct capturing of data. CC ID 00549 Log Management Detective
    Synchronize system clocks to an accurate and universal time source on all devices that have logging enabled. CC ID 01340
    [The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source. A.12.4.4 Control]
    Configuration Preventive
    Centralize network time servers to as few as practical. CC ID 06308 Configuration Preventive
    Disseminate and communicate information to customers about clock synchronization methods used by the organization, as necessary. CC ID 13044 Communicate Preventive
    Define the frequency to capture and log events. CC ID 06313 Log Management Preventive
    Include logging frequencies in the event logging procedures. CC ID 00642 Log Management Preventive
    Review and update the list of auditable events in the event logging procedures. CC ID 10097 Establish/Maintain Documentation Preventive
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643
    [The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated; and § 9.1 ¶ 2 e)]
    Log Management Preventive
    Protect the event logs from failure. CC ID 06290 Log Management Preventive
    Overwrite the oldest records when audit logging fails. CC ID 14308 Data and Information Management Preventive
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 Testing Preventive
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Establish/Maintain Documentation Corrective
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 Audits and Risk Management Preventive
    Review and update event logs and audit logs, as necessary. CC ID 00596
    [Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. A.12.4.1 Control
    System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. A.12.4.3 Control]
    Log Management Detective
    Eliminate false positives in event logs and audit logs. CC ID 07047 Log Management Corrective
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 Log Management Detective
    Identify cybersecurity events in event logs and audit logs. CC ID 13206 Technical Security Detective
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 Investigate Corrective
    Reproduce the event log if a log failure is captured. CC ID 01426 Log Management Preventive
    Monitor and evaluate system performance. CC ID 00651
    [The management review shall include consideration of: feedback on the information security performance, including trends in: § 9.3 ¶ 2 c)]
    Monitor and Evaluate Occurrences Detective
    Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 Communicate Preventive
    Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 Communicate Preventive
    Monitor for and react to when suspicious activities are detected. CC ID 00586
    [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: § 10.1 ¶ 1 a)]
    Monitor and Evaluate Occurrences Detective
    Erase payment applications when suspicious activity is confirmed. CC ID 12193 Technical Security Corrective
    Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 Establish/Maintain Documentation Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 Monitor and Evaluate Occurrences Corrective
    Monitor and evaluate the effectiveness of detection tools. CC ID 13505 Investigate Detective
    Monitor and review retail payment activities, as necessary. CC ID 13541 Monitor and Evaluate Occurrences Detective
    Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 Investigate Detective
    Review retail payment service reports, as necessary. CC ID 13545 Investigate Detective
    Assess customer satisfaction. CC ID 00652 Testing Detective
    Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 Establish/Maintain Documentation Detective
    Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 Process or Activity Detective
    Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 Monitor and Evaluate Occurrences Detective
    Monitor for and report when a software configuration is updated. CC ID 06746 Monitor and Evaluate Occurrences Detective
    Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 Monitor and Evaluate Occurrences Detective
    Monitor for firmware updates absent authorization. CC ID 10675 Monitor and Evaluate Occurrences Detective
    Implement file integrity monitoring. CC ID 01205 Monitor and Evaluate Occurrences Detective
    Identify unauthorized modifications during file integrity monitoring. CC ID 12096 Technical Security Detective
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitor and Evaluate Occurrences Preventive
    Allow expected changes during file integrity monitoring. CC ID 12090 Technical Security Preventive
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitor and Evaluate Occurrences Preventive
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Establish/Maintain Documentation Preventive
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 Process or Activity Preventive
    Monitor and evaluate user account activity. CC ID 07066 Monitor and Evaluate Occurrences Detective
    Develop and maintain a usage profile for each user account. CC ID 07067 Technical Security Preventive
    Log account usage to determine dormant accounts. CC ID 12118 Log Management Detective
    Log account usage times. CC ID 07099 Log Management Detective
    Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 Monitor and Evaluate Occurrences Detective
    Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 Monitor and Evaluate Occurrences Detective
    Log account usage durations. CC ID 12117 Monitor and Evaluate Occurrences Detective
    Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 Communicate Detective
    Log Internet Protocol addresses used during logon. CC ID 07100 Log Management Detective
    Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 Monitor and Evaluate Occurrences Detective
    Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 Communicate Detective
    Establish, implement, and maintain a testing program. CC ID 00654 Behavior Preventive
    Implement and comply with the testing program. CC ID 11870 Testing Detective
    Establish and maintain a vulnerability assessment program. CC ID 11636 Establish/Maintain Documentation Preventive
    Perform vulnerability scans, as necessary. CC ID 11637 Technical Security Detective
    Identify and document security vulnerabilities. CC ID 11857
    [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. A.12.6.1 Control]
    Technical Security Detective
    Rank discovered vulnerabilities. CC ID 11940 Investigate Detective
    Establish and maintain a compliance monitoring policy. CC ID 00671
    [The organization shall determine: when the monitoring and measuring shall be performed; § 9.1 ¶ 2 c)
    The organization shall determine: what needs to be monitored and measured, including information security processes and controls; § 9.1 ¶ 2 a)]
    Establish/Maintain Documentation Preventive
    Establish and maintain an approach for compliance monitoring. CC ID 01653 Establish/Maintain Documentation Preventive
    Establish and maintain risk management metrics. CC ID 01656 Establish/Maintain Documentation Preventive
    Report on the percentage of key Information Technology assets for which an assurance strategy is implemented. CC ID 01657 Actionable Reports or Measurements Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Actionable Reports or Measurements Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Actionable Reports or Measurements Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Actionable Reports or Measurements Detective
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 Business Processes Preventive
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Audits and Risk Management Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 Monitor and Evaluate Occurrences Detective
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499 Establish/Maintain Documentation Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Business Processes Detective
    Determine the causes of compliance violations. CC ID 12401 Investigate Corrective
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Establish/Maintain Documentation Preventive
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Investigate Detective
    Correct compliance violations. CC ID 13515 Process or Activity Corrective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Investigate Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 Behavior Corrective
    Align disciplinary actions with the level of compliance violation. CC ID 12404
    [Corrective actions shall be appropriate to the effects of the nonconformities s="term_secondary-verb">encountered. § 10.1 ¶ 2]
    Human Resources Management Preventive
    Establish and maintain compliance program metrics. CC ID 11625 Monitor and Evaluate Occurrences Preventive
    Establish and maintain a security program metrics program. CC ID 01660 Establish/Maintain Documentation Preventive
    Report on the policies and controls that have been implemented by management. CC ID 01670 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 Establish/Maintain Documentation Preventive
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Actionable Reports or Measurements Detective
    Establish and maintain a key stakeholder metrics program. CC ID 01661 Establish/Maintain Documentation Preventive
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Actionable Reports or Measurements Detective
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Establish/Maintain Documentation Preventive
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Actionable Reports or Measurements Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Actionable Reports or Measurements Preventive
    Establish and maintain a Business Continuity metrics program. CC ID 01663 Establish/Maintain Documentation Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Actionable Reports or Measurements Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Actionable Reports or Measurements Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Actionable Reports or Measurements Detective
    Establish and maintain an audit metrics program. CC ID 01664 Establish/Maintain Documentation Preventive
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Actionable Reports or Measurements Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Actionable Reports or Measurements Detective
    Report on the percentage of audit findings that have been resolved. CC ID 01678 Actionable Reports or Measurements Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Actionable Reports or Measurements Detective
    Establish and maintain an Information Security metrics program. CC ID 01665
    [The information security objectives shall: be measurable (if practicable); § 6.2 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish and maintain a metrics standard and template. CC ID 02157 Establish/Maintain Documentation Preventive
    Monitor compliance with the Quality Control system. CC ID 01023 Actionable Reports or Measurements Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Actionable Reports or Measurements Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 Establish/Maintain Documentation Preventive
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Actionable Reports or Measurements Detective
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Actionable Reports or Measurements Detective
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Establish/Maintain Documentation Preventive
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Actionable Reports or Measurements Detective
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Actionable Reports or Measurements Detective
    Establish and maintain a role-based information access metrics program. CC ID 01668 Establish/Maintain Documentation Preventive
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Actionable Reports or Measurements Detective
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Actionable Reports or Measurements Detective
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Actionable Reports or Measurements Detective
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 Establish/Maintain Documentation Preventive
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Actionable Reports or Measurements Detective
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Actionable Reports or Measurements Detective
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Actionable Reports or Measurements Detective
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Establish/Maintain Documentation Preventive
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Actionable Reports or Measurements Detective
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Business Processes Preventive
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Actionable Reports or Measurements Detective
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Actionable Reports or Measurements Detective
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Business Processes Preventive
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Actionable Reports or Measurements Detective
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Actionable Reports or Measurements Detective
    Establish and maintain a physical environment metrics program. CC ID 02063 Business Processes Preventive
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Actionable Reports or Measurements Detective
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Actionable Reports or Measurements Detective
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Actionable Reports or Measurements Detective
    Establish and maintain a reporting methodology program. CC ID 02072 Business Processes Preventive
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Business Processes Preventive
    Report on the percentage of unique active user identifiers. CC ID 02074 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that perform password policy verification. CC ID 02086 Actionable Reports or Measurements Detective
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Business Processes Preventive
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Actionable Reports or Measurements Detective
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Actionable Reports or Measurements Detective
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Actionable Reports or Measurements Detective
    Report on the percentage of users with access to shared accounts. CC ID 04573 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Actionable Reports or Measurements Preventive
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Actionable Reports or Measurements Detective
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Actionable Reports or Measurements Detective
    Establish and maintain a Configuration Management metrics program. CC ID 02077 Business Processes Preventive
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Actionable Reports or Measurements Detective
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Actionable Reports or Measurements Detective
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Actionable Reports or Measurements Detective
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Actionable Reports or Measurements Detective
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Actionable Reports or Measurements Detective
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Actionable Reports or Measurements Detective
    Establish and maintain a Security Information and Event Management metrics program. CC ID 02078 Log Management Preventive
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Log Management Detective
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Log Management Detective
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Log Management Detective
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Actionable Reports or Measurements Detective
    Establish and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Business Processes Preventive
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Actionable Reports or Measurements Detective
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Actionable Reports or Measurements Detective
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Actionable Reports or Measurements Detective
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Actionable Reports or Measurements Detective
    Establish and maintain a malicious code protection management metrics program. CC ID 02080 Business Processes Preventive
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Actionable Reports or Measurements Detective
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Business Processes Preventive
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Actionable Reports or Measurements Detective
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Actionable Reports or Measurements Detective
    Report on the mean time from patch availability to patch installation. CC ID 02114 Actionable Reports or Measurements Detective
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Actionable Reports or Measurements Detective
    Establish and maintain a network management and firewall management metrics program. CC ID 02082 Business Processes Preventive
    Establish and maintain a network activity baseline. CC ID 13188 Technical Security Detective
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Actionable Reports or Measurements Detective
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Business Processes Preventive
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Actionable Reports or Measurements Detective
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Actionable Reports or Measurements Detective
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Actionable Reports or Measurements Detective
    Establish and maintain a backup management and recovery management metrics program. CC ID 02084 Business Processes Preventive
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Actionable Reports or Measurements Detective
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Actionable Reports or Measurements Detective
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Actionable Reports or Measurements Detective
    Establish and maintain an incident management and vulnerability management metrics program. CC ID 02085 Business Processes Preventive
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Actionable Reports or Measurements Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Actionable Reports or Measurements Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Actionable Reports or Measurements Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Actionable Reports or Measurements Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 Actionable Reports or Measurements Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Actionable Reports or Measurements Detective
    Establish and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Establish/Maintain Documentation Preventive
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Actionable Reports or Measurements Preventive
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Actionable Reports or Measurements Preventive
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Actionable Reports or Measurements Preventive
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Actionable Reports or Measurements Preventive
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Actionable Reports or Measurements Preventive
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Actionable Reports or Measurements Preventive
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Actionable Reports or Measurements Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Testing Preventive
    Establish and maintain a log management program. CC ID 00673 Establish/Maintain Documentation Preventive
    Deploy log normalization tools, as necessary. CC ID 12141 Technical Security Preventive
    Restrict access to logs to a need to know basis. CC ID 01342 Log Management Preventive
    Restrict access to audit trails to a need to know basis. CC ID 11641 Technical Security Preventive
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Log Management Preventive
    Back up audit trails according to backup procedures. CC ID 11642 Systems Continuity Preventive
    Back up logs according to backup procedures. CC ID 01344 Log Management Preventive
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Log Management Preventive
    Identify hosts with logs that are not being stored. CC ID 06314 Log Management Preventive
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Log Management Preventive
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Log Management Preventive
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Log Management Preventive
    Protect logs from unauthorized activity. CC ID 01345
    [Logging facilities and log information shall be protected against tampering and unauthorized access. A.12.4.2 Control
    System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. A.12.4.3 Control]
    Log Management Preventive
    Perform testing and validating activities on all logs. CC ID 06322 Log Management Preventive
    Archive the audit trail in accordance with compliance requirements. CC ID 00674 Log Management Preventive
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Configuration Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594 Log Management Preventive
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Establish/Maintain Documentation Preventive
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Audits and Risk Management Preventive
  • Operational and Systems Continuity
    81
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish and maintain a continuity framework. CC ID 00732 Establish/Maintain Documentation Preventive
    Establish and maintain the scope of the continuity framework. CC ID 11908
    [{scope} The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. A.17.1.1 Control]
    Establish/Maintain Documentation Preventive
    Identify all stakeholders critical to the continuity of operations. CC ID 12741 Systems Continuity Detective
    Explain any exclusions to the scope of the continuity framework. CC ID 12236 Establish/Maintain Documentation Preventive
    Refrain from including exclusions that could affect business continuity. CC ID 12740 Records Management Preventive
    Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 Establish/Maintain Documentation Preventive
    Include business units in the scope of the continuity framework. CC ID 11898 Establish/Maintain Documentation Preventive
    Include business functions in the scope of the continuity framework. CC ID 12699 Establish/Maintain Documentation Preventive
    Include information security continuity in the scope of the continuity framework. CC ID 12009 Systems Continuity Preventive
    Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 Systems Continuity Preventive
    Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. A.17.1.2 Control]
    Establish/Maintain Documentation Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Communicate Corrective
    Identify all stakeholders in the continuity plan. CC ID 13256 Establish/Maintain Documentation Preventive
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 Establish/Maintain Documentation Preventive
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Establish/Maintain Documentation Preventive
    Include the continuity strategy in the continuity plan. CC ID 13189 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 Establish/Maintain Documentation Preventive
    Document and use the lessons learned to update the continuity plan. CC ID 10037 Establish/Maintain Documentation Preventive
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 Process or Activity Preventive
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259 Process or Activity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 Establish/Maintain Documentation Preventive
    Include incident management procedures in the continuity plan. CC ID 13244 Establish/Maintain Documentation Preventive
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Establish/Maintain Documentation Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 Establish/Maintain Documentation Preventive
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Establish/Maintain Documentation Preventive
    Review and update the continuity procedures, as necessary. CC ID 14236 Establish/Maintain Documentation Corrective
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Establish/Maintain Documentation Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Configuration Preventive
    Install a generator sized to support the facility. CC ID 06709 Configuration Preventive
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Acquisition/Sale of Assets or Services Preventive
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Establish/Maintain Documentation Preventive
    Include notifications to alternate facilities in the continuity plan. CC ID 13220 Establish/Maintain Documentation Preventive
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Systems Continuity Preventive
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 Establish/Maintain Documentation Preventive
    Review and update the continuity plan call tree mechanism after a personnel status change. CC ID 01167 Testing Detective
    Establish and maintain damage assessment procedures. CC ID 01267 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Communicate Preventive
    Implement the recovery plan. CC ID 13299 Process or Activity Preventive
    Include addressing backup failures in the recovery plan. CC ID 13298 Establish/Maintain Documentation Preventive
    Include procedures to verify completion of the data and program backup procedures in the recovery plan. CC ID 13297 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Human Resources Management Preventive
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Establish/Maintain Documentation Preventive
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Establish/Maintain Documentation Preventive
    Include the criteria for activation in the recovery plan. CC ID 13293 Establish/Maintain Documentation Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Establish/Maintain Documentation Preventive
    Determine the cause for the activation of the recovery plan. CC ID 13291 Investigate Detective
    Test the recovery plan, as necessary. CC ID 13290 Testing Detective
    Test the backup information, as necessary. CC ID 13303 Testing Detective
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Establish/Maintain Documentation Detective
    Include restoration procedures in the continuity plan. CC ID 01169 Establish Roles Preventive
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 Establish/Maintain Documentation Preventive
    Include the recovery plan in the continuity plan. CC ID 01377 Establish/Maintain Documentation Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Communicate Preventive
    Disseminate and communicate business functions across multiple facilities separated by geographic separation, as necessary. CC ID 10662 Systems Continuity Preventive
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Systems Continuity Preventive
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation, as necessary. CC ID 10664 Systems Continuity Preventive
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Systems Continuity Corrective
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Communicate Preventive
    Establish and maintain system continuity plan strategies for all in scope systems. CC ID 00735 Establish/Maintain Documentation Preventive
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258
    [Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. A.12.3.1 Control]
    Systems Continuity Preventive
    Determine which data elements to back up. CC ID 13483 Data and Information Management Detective
    Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 Systems Continuity Preventive
    Establish and maintain off-site electronic media storage facilities. CC ID 00957 Physical and Environmental Protection Preventive
    Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 Testing Detective
    Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 Configuration Preventive
    Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 Establish/Maintain Documentation Preventive
    Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 Systems Continuity Detective
    Store backup media at an off-site electronic media storage facility. CC ID 01332 Data and Information Management Preventive
    Transport backup media in lockable electronic media storage containers. CC ID 01264 Data and Information Management Preventive
    Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 Systems Continuity Preventive
    Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 Data and Information Management Preventive
    Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 Systems Continuity Preventive
    Perform backup procedures for in scope systems. CC ID 11692 Process or Activity Preventive
    Test backup media for media integrity and information integrity, as necessary. CC ID 01401
    [Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. A.12.3.1 Control]
    Testing Detective
    Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 Testing Detective
    Validate information security continuity controls regularly. CC ID 12008
    [The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. A.17.1.3 Control]
    Systems Continuity Preventive
  • Operational management
    438
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish and implement a capacity management plan. CC ID 11751 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617
    [The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. A.12.1.3 Control]
    Business Processes Preventive
    Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 Business Processes Preventive
    Provide excess capacity or redundancy to limit any effects of a Denial of Service attack. CC ID 06754
    [Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. A.17.2.1 Control]
    Technical Security Preventive
    Implement network redundancy, as necessary. CC ID 13048 Systems Continuity Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
    [The organization's information security management system shall include: documented information determined by the organization as being necessary for the effectiveness of the information security management system. § 7.5.1 ¶ 1 b)
    {identify and control} Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled. § 7.5.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 Establish/Maintain Documentation Preventive
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861
    [{establish, implement, maintain} The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. § 7.1 ¶ 1
    {establish, implement, maintain} The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. § 7.1 ¶ 1]
    Acquisition/Sale of Assets or Services Preventive
    Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 Process or Activity Preventive
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 Process or Activity Preventive
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 Audits and Risk Management Preventive
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 Human Resources Management Preventive
    Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 Human Resources Management Preventive
    Establish and maintain a positive information control environment. CC ID 00813
    [Top management shall demonstrate leadership and commitment with respect to the information security management system by: § 5.1 ¶ 1
    Top management shall demonstrate leadership and commitment with respect to the information security management system by: directing and supporting persons to contribute to the effectiveness of the information security management system; § 5.1 ¶ 1 f)]
    Business Processes Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Behavior Preventive
    Establish and maintain an internal control framework. CC ID 00820
    [The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system. § 10.2 ¶ 1
    The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard. § 4.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Review the relevance of information supporting internal controls. CC ID 12420 Business Processes Detective
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Establish Roles Preventive
    Assign resources to implement the internal control framework. CC ID 00816
    [Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring that the resources needed for the information security management system are available; § 5.1 ¶ 1 c)
    When planning how to achieve its information security objectives, the organization shall determine: what resources will be required; § 6.2 ¶ 4 g)]
    Business Processes Preventive
    Assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Establish Roles Preventive
    Establish and maintain a baseline of internal controls. CC ID 12415 Business Processes Preventive
    Leverage actionable information to support internal controls. CC ID 12414 Business Processes Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819
    [The management review shall include consideration of opportunities for style="background-color:#F0BBBC;" class="term_primary-noun">continual improvement. § 9.3 ¶ 2 f)
    Top management shall demonstrate leadership and commitment with respect to the information security management system by: promoting continual improvement; and § 5.1 ¶ 1 g)
    The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. § 9.3 ¶ 3
    The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard. § 4.4 ¶ 1]
    Establish/Maintain Documentation Preventive
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Establish/Maintain Documentation Preventive
    Include threat assessment in the internal control framework. CC ID 01347 Establish/Maintain Documentation Preventive
    Automate threat assessments, as necessary. CC ID 06877 Configuration Preventive
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Establish/Maintain Documentation Preventive
    Automate vulnerability management, as necessary. CC ID 11730 Configuration Preventive
    Include personnel security procedures in the internal control framework. CC ID 01349 Establish/Maintain Documentation Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Establish/Maintain Documentation Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Establish/Maintain Documentation Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489 Establish/Maintain Documentation Preventive
    Share relevant security information with Special Interest Groups, as necessary. CC ID 11732
    [Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. A.6.1.4 Control]
    Communicate Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Process or Activity Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359
    [{management procedures} Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. A.16.1.1 Control]
    Establish/Maintain Documentation Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Establish/Maintain Documentation Preventive
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Establish/Maintain Documentation Preventive
    Include emergency response procedures in the internal control framework. CC ID 06779 Establish/Maintain Documentation Detective
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Establish/Maintain Documentation Preventive
    Review the internal control framework, as necessary. CC ID 01348 Establish/Maintain Documentation Detective
    Measure policy compliance when reviewing the internal control framework. CC ID 06442
    [Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. A.18.2.2 Control
    Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. A.18.2.2 Control]
    Actionable Reports or Measurements Corrective
    Establish and maintain an information security program. CC ID 00812 Establish/Maintain Documentation Preventive
    Include physical safeguards in the information security program. CC ID 12375 Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374 Establish/Maintain Documentation Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Establish/Maintain Documentation Preventive
    Include system development in the information security program. CC ID 12389 Establish/Maintain Documentation Preventive
    Include system maintenance in the information security program. CC ID 12388 Establish/Maintain Documentation Preventive
    Include system acquisition in the information security program. CC ID 12387 Establish/Maintain Documentation Preventive
    Include access control in the information security program. CC ID 12386 Establish/Maintain Documentation Preventive
    Review and approve access controls, as necessary. CC ID 13074 Process or Activity Detective
    Include operations management in the information security program. CC ID 12385 Establish/Maintain Documentation Preventive
    Include communication management in the information security program. CC ID 12384 Establish/Maintain Documentation Preventive
    Include environmental security in the information security program. CC ID 12383 Establish/Maintain Documentation Preventive
    Include physical security in the information security program. CC ID 12382 Establish/Maintain Documentation Preventive
    Include human resources security in the information security program. CC ID 12381 Establish/Maintain Documentation Preventive
    Include asset management in the information security program. CC ID 12380 Establish/Maintain Documentation Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Establish/Maintain Documentation Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Establish/Maintain Documentation Preventive
    Include risk management in the information security program. CC ID 12378 Establish/Maintain Documentation Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Establish/Maintain Documentation Preventive
    Provide management direction and support for the information security program. CC ID 11999 Process or Activity Preventive
    Monitor and review the effectiveness of the information security program. CC ID 12744
    [The organization shall evaluate the information security performance and the effectiveness of the information security management system. § 9.1 ¶ 1]
    Monitor and Evaluate Occurrences Preventive
    Establish and maintain an information security policy. CC ID 11740
    [A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. A.5.1.1 Control
    A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. A.5.1.1 Control
    Top management shall establish an information security policy that: § 5.2 ¶ 1
    Top management shall establish an information security policy that: is appropriate to the purpose of the organization; § 5.2 ¶ 1 a)
    The information security policy shall: be available as documented information; § 5.2 ¶ 2 e)
    The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. § 8.1 ¶ 1
    Top management shall demonstrate leadership and commitment with respect to the information security management system by: ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; § 5.1 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Business Processes Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496
    [Top management shall establish an information security policy that: includes a commitment to satisfy applicable requirements related to information security; and § 5.2 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Include information security objectives in the information security policy. CC ID 13493
    [Top management shall establish an information security policy that: includes information security objectives (see 6.2) or provides the framework for setting information security objectives; § 5.2 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Establish/Maintain Documentation Preventive
    Review and update the information security policy, as necessary. CC ID 11741
    [The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. A.5.1.2 Control
    Top management shall establish an information security policy that: includes a commitment to continual improvement of the information security management system. § 5.2 ¶ 1 d)]
    Establish/Maintain Documentation Corrective
    Review the information security procedures, as necessary. CC ID 12006 Business Processes Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737
    [A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. A.5.1.1 Control]
    Process or Activity Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Establish/Maintain Documentation Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Establish/Maintain Documentation Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Establish Roles Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884
    [Top management shall assign the responsibility and authority for: ensuring that the information security management system conforms to the requirements of this International Standard; and § 5.3 ¶ 2 a)]
    Human Resources Management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885
    [All information security responsibilities shall be defined and allocated. A.6.1.1 Control
    All information security responsibilities shall be defined and allocated. A.6.1.1 Control
    {information security roles and responsibilities} Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. § 5.3 ¶ 1
    When planning how to achieve its information security objectives, the organization shall determine: who will be responsible; § 6.2 ¶ 4 h)]
    Establish/Maintain Documentation Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Human Resources Management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739
    [A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. A.5.1.1 Control
    Top management shall demonstrate leadership and commitment with respect to the information security management system by: communicating the importance of effective information security management and of conforming to the information security management system requirements; § 5.1 ¶ 1 d)
    The information security policy shall: be communicated within the organization; and § 5.2 ¶ 2 f)
    The information security policy shall: be available to interested parties, as appropriate. § 5.2 ¶ 2 g)
    Persons doing work under the organization's control shall be aware of: the information security policy; § 7.3 ¶ 1 a)]
    Communicate Preventive
    Establish and maintain a social media governance program. CC ID 06536 Establish/Maintain Documentation Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Business Processes Preventive
    Refrain from requiring users to disclose social media account usernames or passwords. CC ID 14009 Business Processes Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Behavior Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Establish/Maintain Documentation Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Establish/Maintain Documentation Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Establish/Maintain Documentation Preventive
    Establish and maintain operational control procedures. CC ID 00831 Establish/Maintain Documentation Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Establish/Maintain Documentation Preventive
    Include startup processes in operational control procedures. CC ID 00833 Establish/Maintain Documentation Preventive
    Review and update the operational control procedures, as necessary. CC ID 14278 Establish/Maintain Documentation Corrective
    Establish and maintain a data processing run manual. CC ID 00832 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826
    [Operating procedures shall be documented and made available to all users who need them. A.12.1.1 Control]
    Establish/Maintain Documentation Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974 Records Management Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Business Processes Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Establish/Maintain Documentation Corrective
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026
    [Operating procedures shall be documented and made available to all users who need them. A.12.1.1 Control]
    Communicate Preventive
    Establish and maintain a job scheduling methodology. CC ID 00834 Establish/Maintain Documentation Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Establish/Maintain Documentation Preventive
    Establish and maintain a data processing continuity plan. CC ID 00836 Establish/Maintain Documentation Preventive
    Establish and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Establish/Maintain Documentation Preventive
    Establish and maintain an Acceptable Use Policy. CC ID 01350
    [Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. A.8.1.3 Control]
    Establish/Maintain Documentation Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Establish/Maintain Documentation Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Establish/Maintain Documentation Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Establish/Maintain Documentation Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355
    [Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. A.8.1.3 Control]
    Establish/Maintain Documentation Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Establish/Maintain Documentation Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Establish/Maintain Documentation Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Technical Security Preventive
    Include prohibiting, copying, or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Establish/Maintain Documentation Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Data and Information Management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Establish/Maintain Documentation Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Establish/Maintain Documentation Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Establish/Maintain Documentation Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Establish/Maintain Documentation Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Establish/Maintain Documentation Corrective
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749
    [Procedures shall be implemented to control the installation of software on operational systems. A.12.5.1 Control
    Rules governing the installation of software by users shall be established and implemented. A.12.6.2 Control]
    Establish/Maintain Documentation Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Communicate Preventive
    Review and update the acceptable use policy, as necessary. CC ID 14276 Establish/Maintain Documentation Corrective
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Business Processes Preventive
    Establish and maintain Intellectual Property Rights protection procedures. CC ID 11512
    [Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. A.18.1.2 Control]
    Establish/Maintain Documentation Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Establish/Maintain Documentation Preventive
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Establish/Maintain Documentation Preventive
    Identify the sender in all electronic messages. CC ID 13996 Data and Information Management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Establish/Maintain Documentation Preventive
    Establish and maintain nondisclosure agreements. CC ID 04536
    [{confidentiality agreements} {identified and documented} Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented. A.13.2.4 Control]
    Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Establish/Maintain Documentation Preventive
    Review nondisclosure agreements, as necessary. CC ID 12437
    [{confidentiality agreements} {identified and documented} Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented. A.13.2.4 Control]
    Human Resources Management Preventive
    Establish and maintain a use of information agreement. CC ID 06215 Establish/Maintain Documentation Preventive
    Include use limitations in the use of information agreement. CC ID 06244 Establish/Maintain Documentation Preventive
    Include disclosure requirements in the use of information agreement. CC ID 11735 Establish/Maintain Documentation Preventive
    Include information recipients in the use of information agreement. CC ID 06245 Establish/Maintain Documentation Preventive
    Include reporting out of scope use of information in the use of information agreement. CC ID 06246 Establish/Maintain Documentation Preventive
    Include disclosure of information in the use of information agreement. CC ID 11830 Establish/Maintain Documentation Preventive
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 Establish/Maintain Documentation Preventive
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 Establish/Maintain Documentation Preventive
    Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 Establish/Maintain Documentation Preventive
    Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 Establish/Maintain Documentation Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Business Processes Preventive
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 Process or Activity Preventive
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Process or Activity Preventive
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 Process or Activity Preventive
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 Process or Activity Preventive
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816 Process or Activity Preventive
    Analyze the organizational culture. CC ID 12899 Process or Activity Preventive
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Process or Activity Detective
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Process or Activity Detective
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 Process or Activity Detective
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Behavior Preventive
    Include skill development in the analysis of the organizational culture. CC ID 12913 Behavior Preventive
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Behavior Preventive
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Behavior Preventive
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Behavior Preventive
    Establish and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747
    [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: deal with the consequences; § 10.1 ¶ 1 a) 2)]
    Process or Activity Corrective
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [Top management shall demonstrate leadership and commitment with respect to the information security management system by: communicating the importance of effective information security management and of conforming to the information security management system requirements; § 5.1 ¶ 1 d)]
    Establish/Maintain Documentation Preventive
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Communicate Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004
    [{information security standard} Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards. A.18.2.3 Control]
    Business Processes Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815
    [For the control of documented information, the organization shall address the following activities, as applicable: distribution, access, retrieval and use; § 7.5.3 ¶ 2 c)]
    Behavior Preventive
    Review and update the Governance, Risk, and Compliance framework, as necessary. CC ID 00817
    [When creating and updating documented information the organization shall ensure appropriate: review and approval for suitability and adequacy § 7.5.2 ¶ 1 c)]
    Establish/Maintain Documentation Corrective
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties, as necessary. CC ID 06955 Behavior Preventive
    Establish and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 Establish/Maintain Documentation Preventive
    Implement the prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12791 Establish/Maintain Documentation Preventive
    Establish and maintain an Asset Management program. CC ID 06630
    [Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. A.8.2.3 Control]
    Business Processes Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729 Human Resources Management Preventive
    Include program objectives in the asset management program. CC ID 14413 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement in the asset management program. CC ID 14412 Establish/Maintain Documentation Preventive
    Include compliance with applicable requirements in the asset management program. CC ID 14411 Establish/Maintain Documentation Preventive
    Establish and apply classification schemes for all systems and assets. CC ID 01902 Establish/Maintain Documentation Preventive
    Apply security controls to each level of the information classification standard. CC ID 01903 Systems Design, Build, and Implementation Preventive
    Establish and maintain the systems' confidentiality level. CC ID 01904 Establish/Maintain Documentation Preventive
    Define confidentiality controls. CC ID 01908 Establish/Maintain Documentation Preventive
    Establish and maintain the systems' availability level. CC ID 01905 Establish/Maintain Documentation Preventive
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Process or Activity Preventive
    Define integrity controls. CC ID 01909 Establish/Maintain Documentation Preventive
    Establish and maintain the systems' integrity level. CC ID 01906 Establish/Maintain Documentation Preventive
    Define availability controls. CC ID 01911 Establish/Maintain Documentation Preventive
    Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 Establish/Maintain Documentation Preventive
    Establish and maintain an asset safety classification scheme. CC ID 06604 Establish/Maintain Documentation Preventive
    Document and disseminate and communicate the Asset Classification Policy. CC ID 06642 Establish/Maintain Documentation Preventive
    Classify assets according to the Asset Classification Policy. CC ID 07186 Establish Roles Preventive
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 Establish/Maintain Documentation Preventive
    Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 Establish Roles Preventive
    Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 Configuration Preventive
    Assign decomposed system components the same asset classification as the originating system. CC ID 06605 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an asset inventory. CC ID 06631 Business Processes Preventive
    Link the authentication system to the asset inventory. CC ID 13718 Technical Security Preventive
    Establish and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689
    [Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. A.8.1.1 Control]
    Establish/Maintain Documentation Preventive
    Include all account types in the Information Technology inventory. CC ID 13311 Establish/Maintain Documentation Preventive
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 Systems Design, Build, and Implementation Preventive
    Identify processes, Information Systems, and third parties that transmit, process, or store personal data. CC ID 06289 Data and Information Management Preventive
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Establish/Maintain Documentation Preventive
    Categorize all major applications according to the business information they process. CC ID 07182 Establish/Maintain Documentation Preventive
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Establish/Maintain Documentation Preventive
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Establish/Maintain Documentation Preventive
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Establish/Maintain Documentation Preventive
    Conduct environmental surveys. CC ID 00690 Physical and Environmental Protection Preventive
    Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 Establish/Maintain Documentation Preventive
    Establish and maintain a hardware asset inventory. CC ID 00691 Establish/Maintain Documentation Preventive
    Include network equipment in the Information Technology inventory. CC ID 00693 Establish/Maintain Documentation Preventive
    Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 Establish/Maintain Documentation Preventive
    Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 Process or Activity Preventive
    Include software in the Information Technology inventory. CC ID 00692 Establish/Maintain Documentation Preventive
    Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Establish/Maintain Documentation Preventive
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 Establish/Maintain Documentation Preventive
    Add inventoried assets to the asset register database, as necessary. CC ID 07051 Establish/Maintain Documentation Preventive
    Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 Monitor and Evaluate Occurrences Corrective
    Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 Monitor and Evaluate Occurrences Corrective
    Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 Establish/Maintain Documentation Preventive
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Human Resources Management Preventive
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Technical Security Detective
    Record software license information for each asset in the asset inventory. CC ID 11736 Data and Information Management Preventive
    Record services for applicable assets in the asset inventory. CC ID 13733 Establish/Maintain Documentation Preventive
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Establish/Maintain Documentation Preventive
    Record the software version in the asset inventory. CC ID 12196 Establish/Maintain Documentation Preventive
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Establish/Maintain Documentation Preventive
    Record the authentication system in the asset inventory. CC ID 13724 Establish/Maintain Documentation Preventive
    Tag unsupported assets in the asset inventory. CC ID 13723 Establish/Maintain Documentation Preventive
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Establish/Maintain Documentation Preventive
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Establish/Maintain Documentation Preventive
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Establish/Maintain Documentation Preventive
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Establish/Maintain Documentation Preventive
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Establish/Maintain Documentation Preventive
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Establish/Maintain Documentation Preventive
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Data and Information Management Preventive
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Establish/Maintain Documentation Preventive
    Record the department associated with the asset in the asset inventory. CC ID 12084 Establish/Maintain Documentation Preventive
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Establish/Maintain Documentation Preventive
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Establish/Maintain Documentation Preventive
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Establish/Maintain Documentation Preventive
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Establish/Maintain Documentation Preventive
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Establish/Maintain Documentation Preventive
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Establish/Maintain Documentation Preventive
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Establish/Maintain Documentation Preventive
    Record the owner for applicable assets in the asset inventory. CC ID 06640
    [Assets maintained in the inventory shall be owned. A.8.1.2 Control]
    Establish/Maintain Documentation Preventive
    Record all changes to assets in the asset inventory. CC ID 12190 Establish/Maintain Documentation Preventive
    Record cloud service derived data in the asset inventory. CC ID 13007 Establish/Maintain Documentation Preventive
    Include cloud service customer data in the asset inventory. CC ID 13006 Establish/Maintain Documentation Preventive
    Establish and maintain a software accountability policy. CC ID 00868 Establish/Maintain Documentation Preventive
    Establish and maintain software asset management procedures. CC ID 00895 Establish/Maintain Documentation Preventive
    Establish and maintain software archives procedures. CC ID 00866 Establish/Maintain Documentation Preventive
    Establish and maintain software distribution procedures. CC ID 00894 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Establish/Maintain Documentation Preventive
    Establish and maintain software license management procedures. CC ID 06639
    [Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. A.18.1.2 Control]
    Establish/Maintain Documentation Preventive
    Automate software license monitoring, as necessary. CC ID 07057 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a system redeployment program. CC ID 06276 Establish/Maintain Documentation Preventive
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 Testing Detective
    Notify organizational unit leaders prior to when the system is redeployed or the system is disposed. CC ID 06400 Behavior Preventive
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Data and Information Management Preventive
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Acquisition/Sale of Assets or Services Preventive
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Establish/Maintain Documentation Preventive
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system disposal program. CC ID 14431 Establish/Maintain Documentation Preventive
    Establish and maintain a system preventive maintenance program. CC ID 00885
    [Equipment shall be correctly maintained to ensure its continued availability and integrity. A.11.2.4 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain maintenance reports. CC ID 11749 Establish/Maintain Documentation Preventive
    Establish and maintain system inspection reports. CC ID 06346 Establish/Maintain Documentation Preventive
    Review maintenance reports. CC ID 10612 Establish/Maintain Documentation Corrective
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Establish/Maintain Documentation Preventive
    Include compliance requirements in the system maintenance policy. CC ID 14217 Establish/Maintain Documentation Preventive
    Include management commitment in the system maintenance policy. CC ID 14216 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Establish/Maintain Documentation Preventive
    Include the scope in the system maintenance policy. CC ID 14214 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Communicate Preventive
    Review and update the system maintenance policy. CC ID 14193 Establish/Maintain Documentation Corrective
    Include the purpose in the system maintenance policy. CC ID 14187 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Communicate Preventive
    Review and update the system maintenance procedures, as necessary. CC ID 14178 Establish/Maintain Documentation Corrective
    Include a technology refresh plan in the system preventive maintenance program. CC ID 13061 Establish/Maintain Documentation Preventive
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Physical and Environmental Protection Preventive
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Behavior Preventive
    Replace system components when third party support is no longer available. CC ID 10644 Maintenance Preventive
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Maintenance Preventive
    Control and monitor all maintenance tools. CC ID 01432 Physical and Environmental Protection Detective
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Business Processes Preventive
    Control remote maintenance according to the system's asset classification. CC ID 01433 Technical Security Preventive
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Configuration Preventive
    Approve all remote maintenance sessions. CC ID 10615 Technical Security Preventive
    Log the performance of all remote maintenance. CC ID 13202 Log Management Preventive
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Technical Security Preventive
    Conduct maintenance with authorized personnel. CC ID 01434 Testing Detective
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Maintenance Preventive
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Maintenance Preventive
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Behavior Preventive
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Establish/Maintain Documentation Preventive
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Acquisition/Sale of Assets or Services Preventive
    Perform periodic maintenance according to organizational standards. CC ID 01435 Behavior Preventive
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Maintenance Preventive
    Employ dedicated systems during system maintenance. CC ID 12108 Technical Security Preventive
    Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 Technical Security Preventive
    Control granting access to third parties performing maintenance on organizational assets. CC ID 11873 Human Resources Management Preventive
    Identify and authenticate third parties prior to granting access to maintain assets. CC ID 11874 Physical and Environmental Protection Preventive
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203 Testing Detective
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Establish/Maintain Documentation Preventive
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Process or Activity Preventive
    Refrain from protecting physical assets when no longer required. CC ID 13484 Physical and Environmental Protection Corrective
    Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 Business Processes Preventive
    Dispose of hardware and software at their life cycle end. CC ID 06278 Business Processes Preventive
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Business Processes Preventive
    Establish and maintain disposal contracts, as necessary. CC ID 12199 Establish/Maintain Documentation Preventive
    Include disposal procedures in disposal contracts. CC ID 13905 Establish/Maintain Documentation Preventive
    Remove asset tags prior to disposal of an asset. CC ID 12198 Business Processes Preventive
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Establish/Maintain Documentation Preventive
    Test for detrimental environmental factors after a system is disposed. CC ID 06938 Testing Detective
    Review each system's operational readiness. CC ID 06275
    [Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. § 9.3 ¶ 1]
    Systems Design, Build, and Implementation Preventive
    Establish and maintain a data stewardship policy. CC ID 06657 Establish/Maintain Documentation Preventive
    Establish and maintain an unauthorized software list. CC ID 10601 Establish/Maintain Documentation Preventive
    Establish and maintain a customer service program. CC ID 00846 Establish/Maintain Documentation Preventive
    Establish and maintain an Incident Management program. CC ID 00853 Business Processes Preventive
    Include intrusion detection procedures in the Incident Management program. CC ID 00588 Establish/Maintain Documentation Preventive
    Categorize the incident following an incident response. CC ID 13208 Technical Security Preventive
    Determine the incident severity level when assessing the security incidents. CC ID 01650
    [Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. A.16.1.4 Control]
    Monitor and Evaluate Occurrences Corrective
    Identify root causes of incidents that force system changes. CC ID 13482
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: determining the causes of the nonconformity; and § 10.1 ¶ 1 b) 2)]
    Investigate Detective
    Respond to and triage when a security incident is detected. CC ID 06942
    [When a nonconformity occurs, the organization shall: implement any action needed; § 10.1 ¶ 1 c)]
    Monitor and Evaluate Occurrences Detective
    Document the incident and any relevant evidence in the incident report. CC ID 08659 Establish/Maintain Documentation Detective
    Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 Process or Activity Corrective
    Respond to all alerts from security systems in a timely manner. CC ID 06434
    [When a nonconformity occurs, the organization shall: react to the nonconformity, and as applicable: take action to control and correct it; and § 10.1 ¶ 1 a) 1)]
    Behavior Corrective
    Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 Process or Activity Corrective
    Assess all security incidents to determine what information was accessed. CC ID 01226
    [Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. A.16.1.4 Control]
    Testing Corrective
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Monitor and Evaluate Occurrences Corrective
    Analyze the incident response process following an incident response. CC ID 13179
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: § 10.1 ¶ 1 b)]
    Investigate Detective
    Remediate security violations according to organizational standards. CC ID 12338
    [When a nonconformity occurs, the organization shall: make changes to the information security management system, if necessary § 10.1 ¶ 1 e)]
    Business Processes Preventive
    Analyze security violations in Suspicious Activity Reports. CC ID 00591
    [When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: determining if similar nonconformities exist, or could potentially occur; § 10.1 ¶ 1 b) 3)
    When a nonconformity occurs, the organization shall: evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by: reviewing the nonconformity; § 10.1 ¶ 1 b) 1)]
    Establish/Maintain Documentation Preventive
    Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234
    [{information security incidents} Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. A.16.1.6 Control]
    Monitor and Evaluate Occurrences Preventive
    Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 Investigate Preventive
    Update the incident response procedures using the lessons learned. CC ID 01233 Establish/Maintain Documentation Preventive
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [Information security events shall be reported through appropriate management channels as quickly as possible. A.16.1.2 Control]
    Establish/Maintain Documentation Preventive
    Establish incident reporting time frame standards. CC ID 12142 Communicate Preventive
    Establish and maintain an Incident Response program. CC ID 00579 Establish/Maintain Documentation Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237 Establish/Maintain Documentation Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652
    [{management procedures} Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. A.16.1.1 Control]
    Establish Roles Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Establish Roles Preventive
    Open a priority incident request after a security breach is detected. CC ID 04838 Testing Corrective
    Activate the incident response notification procedures after a security breach is detected. CC ID 04839 Testing Corrective
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Communicate Corrective
    Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 Establish Roles Preventive
    Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 Establish Roles Preventive
    Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 Establish Roles Preventive
    Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 Establish Roles Preventive
    Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 Establish Roles Preventive
    Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 Establish Roles Preventive
    Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 Establish Roles Preventive
    Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 Establish Roles Preventive
    Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 Establish Roles Preventive
    Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 Human Resources Management Preventive
    Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 Investigate Detective
    Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 Establish/Maintain Documentation Preventive
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Communicate Preventive
    Establish and maintain incident response procedures. CC ID 01206
    [Information security incidents shall be responded to in accordance with the documented procedures. A.16.1.5 Control]
    Establish/Maintain Documentation Detective
    Include references to industry best practices in the incident response procedures. CC ID 11956 Establish/Maintain Documentation Preventive
    Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 Establish/Maintain Documentation Preventive
    Automatically respond when an integrity violation is detected. CC ID 10678 Technical Security Corrective
    Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 Technical Security Corrective
    Restart systems when an integrity violation is detected, as necessary. CC ID 10680 Technical Security Corrective
    Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213
    [Appropriate contacts with relevant authorities shall be maintained. A.6.1.3 Control]
    Behavior Preventive
    Establish and maintain a digital forensic evidence framework. CC ID 08652 Establish/Maintain Documentation Preventive
    Define the business scenarios that require digital forensic evidence. CC ID 08653 Establish/Maintain Documentation Preventive
    Define the circumstances for collecting digital forensic evidence. CC ID 08657
    [The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. A.16.1.7 Control]
    Establish/Maintain Documentation Preventive
    Conduct forensic investigations in the event of a security compromise. CC ID 11951 Investigate Corrective
    Identify potential sources of digital forensic evidence. CC ID 08651
    [The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. A.16.1.7 Control]
    Investigate Preventive
    Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655
    [The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. A.16.1.7 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656
    [The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. A.16.1.7 Control]
    Records Management Preventive
    Review and update the incident response procedures after a security incident has been closed. CC ID 01208
    [When a nonconformity occurs, the organization shall: review the effectiveness of any corrective action taken; and § 10.1 ¶ 1 d)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a performance management standard. CC ID 01615 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain rate limiting filters. CC ID 06883 Business Processes Preventive
    Establish and maintain system capacity monitoring procedures. CC ID 01619
    [The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. A.12.1.3 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain system performance monitoring procedures. CC ID 11752
    [{methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1 ¶ 2 b)
    {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1 ¶ 2 b)
    {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1 ¶ 2 b)
    {methods for measurement} {methods for analysis} {methods for evaluation} The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; § 9.1 ¶ 2 b)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a Service Level Agreement framework. CC ID 00839 Establish/Maintain Documentation Preventive
    Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023
    [Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. A.13.1.2 Control]
    Establish/Maintain Documentation Preventive
    Include the management requirements for network services in the Service Level Agreement. CC ID 12025
    [Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. A.13.1.2 Control]
    Establish/Maintain Documentation Preventive
    Include the service levels for network services in the Service Level Agreement. CC ID 12024
    [Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. A.13.1.2 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain a change control program. CC ID 00886
    [Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled. A.12.1.2 Control
    Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. A.14.2.2 Control
    For the control of documented information, the organization shall address the following activities, as applicable: control of changes (e.g. version control); and § 7.5.3 ¶ 2 e)
    The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. § 9.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243
    [The organization shall control planned changes and review the ckground-color:#F0BBBC;" class="term_primary-noun">consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include version control in the change control program. CC ID 13119 Establish/Maintain Documentation Preventive
    Include service design and transition in the change control program. CC ID 13920 Establish/Maintain Documentation Preventive
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Maintenance Preventive
    Integrate configuration management procedures into the change control program. CC ID 13646 Technical Security Preventive
    Establish and maintain a back-out plan. CC ID 13623 Establish/Maintain Documentation Preventive
    Establish back-out procedures for each proposed change in a change request. CC ID 00373 Establish/Maintain Documentation Preventive
    Review and approve back-out plans, as necessary. CC ID 13627 Establish/Maintain Documentation Corrective
    Manage change requests. CC ID 00887
    [Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. A.14.2.4 Control]
    Business Processes Preventive
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Establish/Maintain Documentation Preventive
    Establish and maintain a change request approver list. CC ID 06795 Establish/Maintain Documentation Preventive
    Document all change requests in change request forms. CC ID 06794 Establish/Maintain Documentation Preventive
    Test proposed changes prior to their approval. CC ID 00548 Testing Detective
    Examine all changes to ensure they correspond with the change request. CC ID 12345
    [Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. A.14.2.4 Control]
    Business Processes Detective
    Approve tested change requests. CC ID 11783 Data and Information Management Preventive
    Validate the system before implementing approved changes. CC ID 01510
    [When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. A.14.2.3 Control]
    Systems Design, Build, and Implementation Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Behavior Preventive
    Establish and maintain emergency change procedures. CC ID 00890 Establish/Maintain Documentation Preventive
    Perform emergency changes, as necessary. CC ID 12707 Process or Activity Preventive
    Back up emergency changes after the change has been performed. CC ID 12734 Process or Activity Preventive
    Log emergency changes after they have been performed. CC ID 12733 Establish/Maintain Documentation Preventive
    Perform risk assessments prior to approving change requests. CC ID 00888 Testing Preventive
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Process or Activity Detective
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Investigate Detective
    Collect data about the network environment when certifying the network. CC ID 13125 Investigate Detective
    Implement changes according to the change control program. CC ID 11776
    [The organization shall control "term_primary-noun">planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. § 8.1 ¶ 3]
    Business Processes Preventive
    Provide audit trails for all approved changes. CC ID 13120 Establish/Maintain Documentation Preventive
    Establish and maintain a patch management program. CC ID 00896 Process or Activity Preventive
    Document the sources of all software updates. CC ID 13316 Establish/Maintain Documentation Preventive
    Implement patch management software, as necessary. CC ID 12094 Technical Security Preventive
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Technical Security Preventive
    Establish and maintain a patch log. CC ID 01642 Establish/Maintain Documentation Preventive
    Review the patch log for missing patches. CC ID 13186 Technical Security Detective
    Perform a patch test prior to deploying a patch. CC ID 00898 Testing Detective
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Business Processes Preventive
    Deploy software patches. CC ID 07032 Configuration Corrective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Testing Detective
    Patch software. CC ID 11825 Technical Security Corrective
    Patch the operating system, as necessary. CC ID 11824 Technical Security Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Configuration Corrective
    Remove outdated software after software has been updated. CC ID 11792 Configuration Corrective
    Update computer firmware, as necessary. CC ID 11755 Configuration Corrective
    Review changes to computer firmware. CC ID 12226 Testing Detective
    Certify changes to computer firmware are free of malicious logic. CC ID 12227 Testing Detective
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Configuration Corrective
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 Technical Security Detective
    Establish and maintain a software release policy. CC ID 00893 Establish/Maintain Documentation Preventive
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Behavior Preventive
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Data and Information Management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244
    [The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any -color:#F0BBBC;" class="term_primary-noun">adverse effects, as necessary. § 8.1 ¶ 3]
    Business Processes Corrective
    Establish and maintain approved change acceptance testing procedures. CC ID 06391 Establish/Maintain Documentation Detective
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Testing Detective
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541
    [Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. A.14.2.9 Control]
    Testing Detective
    Establish and maintain a change acceptance testing log. CC ID 06392 Establish/Maintain Documentation Corrective
    Update associated documentation after the system configuration has been changed. CC ID 00891 Establish/Maintain Documentation Preventive
    Establish and maintain a configuration change log. CC ID 08710 Configuration Detective
    Review the configuration change log. CC ID 11754 Configuration Detective
    Document approved configuration deviations. CC ID 08711 Establish/Maintain Documentation Corrective
  • Physical and environmental protection
    218
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Physical and environmental protection CC ID 00709 IT Impact Zone IT Impact Zone
    Establish and maintain a physical security program. CC ID 11757 Establish/Maintain Documentation Preventive
    Establish and maintain an anti-tamper protection program. CC ID 10638 Monitor and Evaluate Occurrences Detective
    Protect assets from tampering or unapproved substitution. CC ID 11902
    [Logging facilities and log information shall be protected against tampering and unauthorized access. A.12.4.2 Control]
    Physical and Environmental Protection Preventive
    Establish and maintain a facility physical security program. CC ID 00711
    [Physical security for offices, rooms and facilities shall be designed and applied. A.11.1.3 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 Establish/Maintain Documentation Preventive
    Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 Behavior Preventive
    Protect the facility from crime. CC ID 06347 Physical and Environmental Protection Preventive
    Define communication methods for reporting crimes. CC ID 06349 Establish/Maintain Documentation Preventive
    Protect facilities from eavesdropping. CC ID 02222 Physical and Environmental Protection Preventive
    Inspect telephones for eavesdropping devices. CC ID 02223 Physical and Environmental Protection Detective
    Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 Physical and Environmental Protection Preventive
    Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 Physical and Environmental Protection Preventive
    Establish clear zones around any sensitive facilities. CC ID 02214 Physical and Environmental Protection Preventive
    Post and maintain security signage for all facilities. CC ID 02201 Establish/Maintain Documentation Preventive
    Inspect items brought into the facility. CC ID 06341 Physical and Environmental Protection Preventive
    Maintain all physical security systems. CC ID 02206 Physical and Environmental Protection Preventive
    Detect anomalies in physical barriers. CC ID 13533 Investigate Detective
    Maintain all security alarm systems. CC ID 11669 Physical and Environmental Protection Preventive
    Identify and document physical access controls for all physical entry points. CC ID 01637
    [Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. A.11.1.2 Control]
    Establish/Maintain Documentation Preventive
    Control physical access to (and within) the facility. CC ID 01329 Physical and Environmental Protection Preventive
    Define and implement access procedures for all organizational facilities and controlled access areas. CC ID 13629 Establish/Maintain Documentation Preventive
    Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 Physical and Environmental Protection Preventive
    Secure physical entry points with physical access controls or security guards. CC ID 01640 Physical and Environmental Protection Detective
    Configure the access control system to grant access only during authorized working hours. CC ID 12325 Physical and Environmental Protection Preventive
    Establish and maintain a visitor access permissions policy. CC ID 06699 Establish/Maintain Documentation Preventive
    Escort visitors within the facility, as necessary. CC ID 06417 Establish/Maintain Documentation Preventive
    Check the visitor's stated identity against a provided government issued identification. CC ID 06701 Physical and Environmental Protection Preventive
    Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 Testing Preventive
    Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 Behavior Preventive
    Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 Establish/Maintain Documentation Preventive
    Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 Establish/Maintain Documentation Preventive
    Authorize physical access to sensitive areas based on job functions. CC ID 12462 Establish/Maintain Documentation Preventive
    Review facility access lists. CC ID 01251 Establish/Maintain Documentation Detective
    Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 Physical and Environmental Protection Corrective
    Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 Monitor and Evaluate Occurrences Preventive
    Establish and maintain physical identification procedures. CC ID 00713 Establish/Maintain Documentation Preventive
    Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 Human Resources Management Preventive
    Implement physical identification processes. CC ID 13715 Process or Activity Preventive
    Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 Process or Activity Preventive
    Issue photo identification badges to all employees. CC ID 12326 Physical and Environmental Protection Preventive
    Implement operational requirements for card readers. CC ID 02225 Testing Preventive
    Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 Physical and Environmental Protection Preventive
    Document all lost badges in a lost badge list. CC ID 12448 Establish/Maintain Documentation Corrective
    Manage constituent identification inside the facility. CC ID 02215 Behavior Preventive
    Direct each employee to be responsible for their identification card or badge. CC ID 12332 Human Resources Management Preventive
    Manage visitor identification inside the facility. CC ID 11670 Physical and Environmental Protection Preventive
    Issue visitor identification badges to all non-employees. CC ID 00543 Behavior Preventive
    Secure unissued visitor identification badges. CC ID 06712 Physical and Environmental Protection Preventive
    Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 Behavior Preventive
    Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 Physical and Environmental Protection Preventive
    Establish and maintain identification issuance procedures for identification cards or badges. CC ID 06598 Establish/Maintain Documentation Preventive
    Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 Process or Activity Preventive
    Include error handling controls in identification issuance procedures. CC ID 13709 Establish/Maintain Documentation Preventive
    Include identity proofing processes in the identification issuance procedures. CC ID 06597 Process or Activity Preventive
    Include an identity registration process in the identification issuance procedures. CC ID 11671 Establish/Maintain Documentation Preventive
    Restrict access to the badge system to authorized personnel. CC ID 12043 Physical and Environmental Protection Preventive
    Enforce dual control for badge assignments. CC ID 12328 Physical and Environmental Protection Preventive
    Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 Physical and Environmental Protection Preventive
    Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 Physical and Environmental Protection Preventive
    Establish and maintain identification renewal procedures for identification cards or badges. CC ID 06599 Establish/Maintain Documentation Preventive
    Assign employees the responsibility for controlling their identification badges. CC ID 12333 Human Resources Management Preventive
    Establish and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 Establish/Maintain Documentation Preventive
    Establish and maintain identification mechanism termination procedures. CC ID 06306 Establish/Maintain Documentation Preventive
    Prevent tailgating through physical entry points. CC ID 06685 Physical and Environmental Protection Preventive
    Monitor for unauthorized physical access at physical entry points. CC ID 06797 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a door security standard. CC ID 06686 Establish/Maintain Documentation Preventive
    Install doors so that exposed hinges are on the secured side. CC ID 06687 Configuration Preventive
    Install emergency doors to permit egress only. CC ID 06688 Configuration Preventive
    Install contact alarms on doors, as necessary. CC ID 06710 Configuration Preventive
    Use locks to protect against unauthorized physical access. CC ID 06342 Physical and Environmental Protection Preventive
    Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 Configuration Preventive
    Test locks for physical security vulnerabilities. CC ID 04880 Testing Detective
    Secure non issued access mechanisms. CC ID 06713 Technical Security Preventive
    Establish and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 Establish/Maintain Documentation Preventive
    Change cipher lock codes, as necessary. CC ID 06651 Technical Security Preventive
    Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 Establish/Maintain Documentation Preventive
    Establish and maintain a window security standard. CC ID 06689 Establish/Maintain Documentation Preventive
    Install contact alarms on openable windows, as necessary. CC ID 06690 Configuration Preventive
    Install glass break alarms on windows, as necessary. CC ID 06691 Configuration Preventive
    Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 Establish/Maintain Documentation Preventive
    Install and maintain security lighting at all physical entry points. CC ID 02205 Physical and Environmental Protection Preventive
    Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210
    [{delivery area} Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. A.11.1.6 Control]
    Physical and Environmental Protection Preventive
    Secure the loading dock with physical access controls or security guards. CC ID 06703 Physical and Environmental Protection Preventive
    Isolate loading areas from information processing facilities, if possible. CC ID 12028
    [{delivery area} Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. A.11.1.6 Control]
    Physical and Environmental Protection Preventive
    Screen incoming mail and deliveries. CC ID 06719 Physical and Environmental Protection Preventive
    Protect access to the facility's mechanical systems area. CC ID 02212 Physical and Environmental Protection Preventive
    Establish and maintain elevator security guidelines. CC ID 02232 Physical and Environmental Protection Preventive
    Establish and maintain stairwell security guidelines. CC ID 02233 Physical and Environmental Protection Preventive
    Establish and maintain glass opening security guidelines. CC ID 02234 Physical and Environmental Protection Preventive
    Establish, implement, and maintain after hours facility access procedures. CC ID 06340 Establish/Maintain Documentation Preventive
    Establish a security room, if necessary. CC ID 00738 Physical and Environmental Protection Preventive
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749 Physical and Environmental Protection Preventive
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and Environmental Protection Preventive
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and Environmental Protection Preventive
    Lock all lockable equipment cabinets. CC ID 11673 Physical and Environmental Protection Detective
    Establish and maintain vault physical security standards. CC ID 02203 Physical and Environmental Protection Preventive
    Establish and maintain a guideline for working in a secure area. CC ID 04538
    [Procedures for working in secure areas shall be designed and applied. A.11.1.5 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain emergency re-entry procedures. CC ID 11672 Establish/Maintain Documentation Preventive
    Establish and maintain emergency exit procedures. CC ID 01252 Establish/Maintain Documentation Preventive
    Monitor entry through all physical entry points. CC ID 01638 Monitor and Evaluate Occurrences Detective
    Establish and maintain a visitor log. CC ID 00715 Log Management Preventive
    Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 Establish/Maintain Documentation Preventive
    Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 Behavior Preventive
    Record the visitor's name in the visitor log. CC ID 00557 Log Management Preventive
    Record the visitor's organization in the visitor log. CC ID 12121 Log Management Preventive
    Record the visitor's acceptable access areas in the visitor log. CC ID 12237 Log Management Preventive
    Record the date and time of entry in the visitor log. CC ID 13255 Establish/Maintain Documentation Preventive
    Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 Establish/Maintain Documentation Preventive
    Retain all records in the visitor log as prescribed by law. CC ID 00572 Log Management Preventive
    Review visitor logs, as necessary. CC ID 10625 Establish/Maintain Documentation Detective
    Establish and maintain a physical access log. CC ID 12080 Establish/Maintain Documentation Preventive
    Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 Log Management Preventive
    Log when the vault is accessed. CC ID 06725 Log Management Detective
    Log when the cabinet is accessed. CC ID 11674 Log Management Detective
    Store facility access logs in off-site storage. CC ID 06958 Log Management Preventive
    Review physical access logs, as necessary. CC ID 10624 Establish/Maintain Documentation Detective
    Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 Monitor and Evaluate Occurrences Preventive
    Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 Monitor and Evaluate Occurrences Detective
    Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 Monitor and Evaluate Occurrences Detective
    Configure video cameras to cover all physical entry points. CC ID 06302 Configuration Preventive
    Configure video cameras to prevent physical tampering or disablement. CC ID 06303 Configuration Preventive
    Retain video events according to Records Management procedures. CC ID 06304 Records Management Preventive
    Monitor physical entry point alarms. CC ID 01639 Physical and Environmental Protection Detective
    Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 Monitor and Evaluate Occurrences Detective
    Monitor for alarmed security doors being propped open. CC ID 06684 Monitor and Evaluate Occurrences Detective
    Establish and maintain physical security threat reports. CC ID 02207 Establish/Maintain Documentation Preventive
    Build and maintain fencing, as necessary. CC ID 02235
    [{sensitive information} Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. A.11.1.1 Control]
    Physical and Environmental Protection Preventive
    Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 Physical and Environmental Protection Preventive
    Employ security guards to provide physical security, as necessary. CC ID 06653 Establish Roles Preventive
    Establish and maintain a facility wall standard. CC ID 06692 Establish/Maintain Documentation Preventive
    Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 Physical and Environmental Protection Preventive
    Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 Configuration Preventive
    Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 Behavior Preventive
    Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 Behavior Preventive
    Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 Business Processes Preventive
    Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 Behavior Preventive
    Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 Behavior Preventive
    Establish and maintain physical security controls for distributed Information Technology assets. CC ID 00718 Physical and Environmental Protection Preventive
    Restrict physical access to distributed Information Technology assets. CC ID 11865
    [{environmental hazards} Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. A.11.2.1 Control]
    Physical and Environmental Protection Preventive
    House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 Physical and Environmental Protection Preventive
    Protect electronic storage media with physical access controls. CC ID 00720 Physical and Environmental Protection Preventive
    Establish and maintain removable storage media controls. CC ID 06680 Data and Information Management Preventive
    Control the transiting and internal distribution or external distribution of restricted storage media. CC ID 00963
    [Media containing information shall be protected against unauthorized access, misuse or corruption during transportation. A.8.3.3 Control]
    Records Management Preventive
    Log the transferring of custody of removable storage media. CC ID 12321 Log Management Preventive
    Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 Technical Security Preventive
    Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 Records Management Preventive
    Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 Physical and Environmental Protection Preventive
    Transport restricted media using a delivery method that can be tracked. CC ID 11777 Business Processes Preventive
    Track restricted storage media while it is in transit. CC ID 00967 Data and Information Management Detective
    Protect distributed Information Technology assets against theft. CC ID 06799 Physical and Environmental Protection Preventive
    Establish and maintain Information Technology asset removal procedures. CC ID 04540 Establish/Maintain Documentation Preventive
    Prohibit assets from being taken off-site absent prior authorization. CC ID 12027
    [Equipment, information or software shall not be taken off-site without prior authorization. A.11.2.5 Control]
    Process or Activity Preventive
    Establish, implement, and maintain off-site physical controls for all distributed Information Technology assets. CC ID 04539
    [Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises. A.11.2.6 Control]
    Physical and Environmental Protection Preventive
    Establish, implement, and maintain end user computing device security guidelines. CC ID 00719
    [Users shall ensure that unattended equipment has appropriate protection. A.11.2.8 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain a locking screen saver policy. CC ID 06717 Establish/Maintain Documentation Preventive
    Secure workstations to desks with security cables. CC ID 04724 Physical and Environmental Protection Preventive
    Establish and maintain mobile device security guidelines. CC ID 04723
    [A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. A.6.2.1 Control]
    Establish/Maintain Documentation Preventive
    Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 Establish/Maintain Documentation Preventive
    Include legal requirements in the mobile device security guidelines. CC ID 12291 Establish/Maintain Documentation Preventive
    Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 Establish/Maintain Documentation Preventive
    Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 Establish/Maintain Documentation Preventive
    Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 Establish/Maintain Documentation Preventive
    Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 Physical and Environmental Protection Preventive
    Implement mobile device security guidelines. CC ID 06353
    [A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. A.6.2.1 Control]
    Physical and Environmental Protection Preventive
    Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 Data and Information Management Preventive
    Refrain from pairing bluetooth devices in unsecured areas. CC ID 12429 Physical and Environmental Protection Preventive
    Encrypt information stored on mobile devices. CC ID 01422 Data and Information Management Preventive
    Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722
    [{sensitive information} Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. A.11.1.1 Control]
    Physical and Environmental Protection Preventive
    Establish and maintain asset return procedures. CC ID 04537 Establish/Maintain Documentation Preventive
    Require the return of all assets upon notification an individual is terminated. CC ID 06679
    [{require} All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement. A.8.1.4 Control]
    Behavior Preventive
    Establish and maintain a physical clean desk policy. CC ID 06534
    [A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. A.11.2.9 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain a clear screen policy. CC ID 12436
    [A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. A.11.2.9 Control]
    Technical Security Preventive
    Establish and maintain an environmental control program. CC ID 00724
    [Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. A.11.1.4 Control]
    Physical and Environmental Protection Preventive
    Establish and maintain environmental control procedures. CC ID 12246 Establish/Maintain Documentation Preventive
    Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708 Configuration Preventive
    Protect power equipment and power cabling from damage or destruction. CC ID 01438
    [{power cabling} Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. A.11.2.3 Control
    Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. A.11.2.2 Control]
    Physical and Environmental Protection Preventive
    Establish, implement, and maintain a battery room, as necessary. CC ID 06706 Configuration Preventive
    Establish and maintain a generator room, as necessary. CC ID 06704 Configuration Preventive
    Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 Physical and Environmental Protection Preventive
    Establish and maintain facility maintenance procedures. CC ID 00710 Establish/Maintain Documentation Preventive
    Design the Information Technology facility with a low profile and consideration given to natural disasters and man-made disasters. CC ID 00712 Physical and Environmental Protection Preventive
    Prohibit signage indicating computer room location and uses. CC ID 06343 Physical and Environmental Protection Preventive
    Require the Information Technology facility to have adequate room for facility maintenance. CC ID 06361 Physical and Environmental Protection Preventive
    Require the Information Technology facility to have adequate room for evacuation. CC ID 11686 Physical and Environmental Protection Preventive
    Build the Information Technology facility according to applicable building codes. CC ID 06366 Physical and Environmental Protection Preventive
    Build the Information Technology facility with fire resistant materials. CC ID 06365 Physical and Environmental Protection Preventive
    Build the Information Technology facility with water-resistant materials. CC ID 11679 Physical and Environmental Protection Preventive
    Monitor operational conditions at unmanned facilities. CC ID 06327 Physical and Environmental Protection Preventive
    Remotely control operational conditions at unmanned facilities. CC ID 11680 Technical Security Preventive
    Inspect and maintain the facility and supporting assets. CC ID 06345 Physical and Environmental Protection Preventive
    Test and inspect assets under full load working conditions. CC ID 06356 Testing Detective
    Define selection criteria for facility locations. CC ID 06351 Establish/Maintain Documentation Preventive
    Establish and maintain work environment requirements. CC ID 06613 Establish/Maintain Documentation Preventive
    Establish and maintain system cleanliness requirements. CC ID 06614 Establish/Maintain Documentation Preventive
    House system components in areas where the physical damage potential is minimized. CC ID 01623
    [{environmental hazards} Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. A.11.2.1 Control]
    Physical and Environmental Protection Preventive
    Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 Establish/Maintain Documentation Preventive
    Install and maintain fire protection equipment. CC ID 00728 Configuration Preventive
    Install and maintain fire suppression systems. CC ID 00729 Configuration Preventive
    Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 Physical and Environmental Protection Preventive
    Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 Physical and Environmental Protection Preventive
    Conduct fire drills, as necessary. CC ID 13985 Process or Activity Preventive
    Employ environmental protections. CC ID 12570 Process or Activity Preventive
    Monitor and review environmental protections. CC ID 12571 Monitor and Evaluate Occurrences Detective
    Install and maintain seismic detectors in the Information Technology facility. CC ID 06364 Physical and Environmental Protection Detective
    Protect physical assets against static electricity, as necessary. CC ID 06363 Physical and Environmental Protection Preventive
    Install and maintain emergency lighting for use in a power failure. CC ID 01440 Physical and Environmental Protection Preventive
    Install and maintain lightning protection mechanisms in the Information Technology facility. CC ID 06367 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 Configuration Preventive
    Install and maintain an environment control monitoring system. CC ID 06370 Monitor and Evaluate Occurrences Detective
    Protect air intakes into the organizational facility. CC ID 02211 Physical and Environmental Protection Preventive
    Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 Configuration Preventive
    Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 Configuration Preventive
    Install and maintain a moisture control system as a part of the climate control system. CC ID 06694 Configuration Preventive
    Install and maintain hydrogen sensors, as necessary. CC ID 06705 Configuration Preventive
    Protect physical assets from water damage. CC ID 00730 Configuration Preventive
    Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 Communicate Preventive
    Install and maintain water detection devices. CC ID 11678 Physical and Environmental Protection Preventive
  • Privacy protection for information and data
    890
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish and maintain a privacy framework that protects restricted data. CC ID 11850
    [Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. A.18.1.4 Control
    Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. A.18.1.4 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Data and Information Management Preventive
    Establish and maintain privacy notices, as necessary. CC ID 13443 Establish/Maintain Documentation Preventive
    Include the purpose of the privacy notice in the privacy notice. CC ID 13526 Establish/Maintain Documentation Preventive
    Include contact information in the privacy notice. CC ID 14432 Establish/Maintain Documentation Preventive
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 Establish/Maintain Documentation Preventive
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Establish/Maintain Documentation Preventive
    Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 Establish/Maintain Documentation Preventive
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 Establish/Maintain Documentation Preventive
    Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 Establish/Maintain Documentation Preventive
    Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 Establish/Maintain Documentation Preventive
    Include the personal data collection categories in the privacy notice. CC ID 13457 Establish/Maintain Documentation Preventive
    Include disclosure exceptions in the privacy notice. CC ID 13447 Establish/Maintain Documentation Preventive
    Include the types of personal data disclosed in the privacy notice. CC ID 13446 Establish/Maintain Documentation Preventive
    Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 Establish/Maintain Documentation Preventive
    Specify the time frame that notice will be given. CC ID 00385 Establish/Maintain Documentation Preventive
    Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 Establish/Maintain Documentation Preventive
    Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 Communicate Preventive
    Deliver privacy notices to data subjects, as necessary. CC ID 13444 Communicate Preventive
    Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 Establish/Maintain Documentation Preventive
    Update and redeliver privacy notices, as necessary. CC ID 13474 Communicate Preventive
    Deliver privacy notices to third parties, as necessary. CC ID 13473 Communicate Preventive
    Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 Communicate Preventive
    Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 Establish/Maintain Documentation Corrective
    Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 Establish/Maintain Documentation Preventive
    Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 Establish/Maintain Documentation Preventive
    Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 Establish/Maintain Documentation Preventive
    Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain opt-out notices. CC ID 13448 Establish/Maintain Documentation Preventive
    Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 Establish/Maintain Documentation Preventive
    Include the opt out method for data subjects in the opt-out notice. CC ID 13467 Establish/Maintain Documentation Preventive
    Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 Establish/Maintain Documentation Preventive
    Explain the right to opt out in the opt-out notice. CC ID 13462 Establish/Maintain Documentation Preventive
    Include the organization's right to share personal data in the opt-out notice. CC ID 13450 Establish/Maintain Documentation Preventive
    Deliver opt-out notices, as necessary. CC ID 13449 Communicate Preventive
    Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 Communicate Preventive
    Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 Communicate Preventive
    Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 Communicate Preventive
    Notify statutory authorities concerned with the privacy program of the cessation of the organization after being merged or acquired. CC ID 12391 Communicate Preventive
    Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 Communicate Preventive
    Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 Communicate Preventive
    Provide the data subject with a notice of participation procedures. CC ID 06241 Establish/Maintain Documentation Preventive
    Deliver notices to the intended parties. CC ID 06240 Data and Information Management Preventive
    Notify data subjects about their privacy rights. CC ID 12989 Communicate Preventive
    Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 Communicate Preventive
    Require a data protection impact assessment when profiling the data subject. CC ID 12680 Process or Activity Detective
    Establish, implement, and maintain adequate openness procedures. CC ID 00377 Data and Information Management Preventive
    Provide public proof the organization participates in a privacy program. CC ID 12349 Communicate Preventive
    Publish a description of activities about processing personal data in an official register. CC ID 00379 Establish/Maintain Documentation Preventive
    Establish and maintain a records request manual. CC ID 00381 Establish/Maintain Documentation Preventive
    Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 Establish/Maintain Documentation Preventive
    Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 Behavior Preventive
    Define what is included in registration notices. CC ID 00386 Establish/Maintain Documentation Preventive
    Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 Establish/Maintain Documentation Preventive
    Include a purpose specification description in the registration notice. CC ID 00388 Establish/Maintain Documentation Preventive
    Include the data subject category being processed in the registration notice. CC ID 00389 Establish/Maintain Documentation Preventive
    Include the time period for data processing in the registration notice. CC ID 00390 Establish/Maintain Documentation Preventive
    Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 Establish/Maintain Documentation Preventive
    Provide legal authorities access to personal data, upon request. CC ID 06818 Data and Information Management Preventive
    Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 Process or Activity Preventive
    Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 Establish/Maintain Documentation Preventive
    Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 Establish/Maintain Documentation Preventive
    Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 Establish/Maintain Documentation Preventive
    Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 Process or Activity Preventive
    Document the countries where personal data may be stored. CC ID 12750 Data and Information Management Preventive
    Protect the rights of students and their parents. CC ID 00222 Data and Information Management Preventive
    Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 Technical Security Preventive
    Refrain from allowing students the right to inspect parent's financial records. CC ID 13025 Records Management Preventive
    Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 Records Management Preventive
    Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 Records Management Corrective
    Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 Records Management Corrective
    Disseminate and communicate the notification of rights to both parents and students. CC ID 12996 Establish/Maintain Documentation Preventive
    Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 Establish/Maintain Documentation Preventive
    Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 Establish/Maintain Documentation Preventive
    Disclose educational data, as necessary. CC ID 00223 Data and Information Management Preventive
    Grant access to education records in support of educational program audits. CC ID 13032 Records Management Preventive
    Grant access to education records in support of external requirements. CC ID 13033 Records Management Preventive
    Disclose statements added to education records, as necessary. CC ID 12990 Communicate Preventive
    Obtain explicit consent from parents or students prior to using or disclosing educational data. CC ID 00220 Data and Information Management Preventive
    Disclose education records when written consent is received. CC ID 00224 Data and Information Management Preventive
    Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 Establish/Maintain Documentation Preventive
    Specify the purpose of the disclosure in the written consent. CC ID 13001 Establish/Maintain Documentation Preventive
    Specify which education records may be disclosed in the written consent. CC ID 13000 Establish/Maintain Documentation Preventive
    Document the conditions when consent is not required to disclose educational data. CC ID 00225 Establish/Maintain Documentation Preventive
    Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 Communicate Preventive
    Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 Communicate Preventive
    Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 Communicate Preventive
    Disclose educational data absent consent to other school officials. CC ID 00226 Data and Information Management Preventive
    Disclose educational data absent consent to another institution's school officials. CC ID 00227 Data and Information Management Preventive
    Disclose educational data absent consent in connection with financial aid. CC ID 00229 Data and Information Management Preventive
    Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 Data and Information Management Preventive
    Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 Communicate Preventive
    Disclose educational data absent consent to accrediting organizations. CC ID 00231 Data and Information Management Preventive
    Disclose educational data absent consent to a dependent student's parents. CC ID 00232 Data and Information Management Preventive
    Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 Data and Information Management Preventive
    Disclose educational data absent consent for a health and safety emergency. CC ID 00234 Data and Information Management Preventive
    Disclose educational data absent consent when it is merely directory information. CC ID 00235 Data and Information Management Preventive
    Disclose educational data absent consent to a crime victim. CC ID 00236 Data and Information Management Preventive
    Record the health and safety threats of students when disclosing personal data. CC ID 12997 Establish/Maintain Documentation Preventive
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Communicate Preventive
    Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 Communicate Preventive
    Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 Communicate Preventive
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 Communicate Preventive
    Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 Communicate Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Establish/Maintain Documentation Preventive
    Provide the data subject with the data retention period for personal data. CC ID 12587 Process or Activity Preventive
    Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 Process or Activity Preventive
    Provide the data subject with the adequacy decision. CC ID 12586 Process or Activity Preventive
    Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 Process or Activity Preventive
    Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 Process or Activity Preventive
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 Data and Information Management Preventive
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 Business Processes Preventive
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Business Processes Preventive
    Notify the data subject of the right to data portability. CC ID 12603 Process or Activity Preventive
    Provide the data subject with information about the right to erasure. CC ID 12602 Process or Activity Preventive
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 Establish/Maintain Documentation Preventive
    Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 Data and Information Management Preventive
    Include individual's names to whom personal data may be disclosed in the disclosure accounting record. CC ID 13027 Establish/Maintain Documentation Preventive
    Establish and maintain a disclosure accounting record. CC ID 13022 Establish/Maintain Documentation Preventive
    Include the official authorities that are allowed to disclose personal data absent consent in the disclosure accounting record. CC ID 13029 Establish/Maintain Documentation Preventive
    Include the legitimate interests for accessing personal data in the disclosure accounting record. CC ID 13028 Establish/Maintain Documentation Preventive
    Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 Establish/Maintain Documentation Preventive
    Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 Establish/Maintain Documentation Preventive
    Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 Establish/Maintain Documentation Preventive
    Include the disclosure date in the disclosure accounting record. CC ID 07133 Establish/Maintain Documentation Preventive
    Include the disclosure recipient in the disclosure accounting record. CC ID 07134 Establish/Maintain Documentation Preventive
    Include the disclosure purpose in the disclosure accounting record. CC ID 07135 Establish/Maintain Documentation Preventive
    Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 Establish/Maintain Documentation Preventive
    Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 Establish/Maintain Documentation Preventive
    Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 Establish/Maintain Documentation Preventive
    Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 Establish/Maintain Documentation Preventive
    Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 Establish/Maintain Documentation Preventive
    Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 Establish/Maintain Documentation Preventive
    Provide the data subject with a copy of the disclosure accounting record. CC ID 14433 Communicate Preventive
    Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 Establish/Maintain Documentation Preventive
    Provide shareholders access to electronic messages via electronic means. CC ID 11855 Process or Activity Preventive
    Make telephone directory information available to the public. CC ID 08698 Establish/Maintain Documentation Preventive
    Display warning screens and confirmation screens for all payment transactions. CC ID 06409 Technical Security Preventive
    Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 Establish/Maintain Documentation Preventive
    Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 Process or Activity Preventive
    Establish, implement, and maintain a privacy policy. CC ID 06281 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 Behavior Preventive
    Document privacy policies in clearly written and easily understood language. CC ID 00376 Establish/Maintain Documentation Detective
    Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 Establish/Maintain Documentation Preventive
    Define what is included in the privacy policy. CC ID 00404 Establish/Maintain Documentation Preventive
    Define the information being collected in the privacy policy. CC ID 13115 Establish/Maintain Documentation Preventive
    Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 Establish/Maintain Documentation Preventive
    Include the means by which information is collected in the privacy policy. CC ID 13114 Establish/Maintain Documentation Preventive
    Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 Establish/Maintain Documentation Corrective
    Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 Establish/Maintain Documentation Preventive
    Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 Establish/Maintain Documentation Corrective
    Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 Establish/Maintain Documentation Preventive
    Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 Establish/Maintain Documentation Preventive
    Include a complaint form in the privacy policy. CC ID 12364 Establish/Maintain Documentation Preventive
    Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 Establish/Maintain Documentation Preventive
    Include the processing purpose in the privacy policy. CC ID 00406 Establish/Maintain Documentation Preventive
    Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 Establish/Maintain Documentation Preventive
    Include the data subject categories being processed in the privacy policy. CC ID 00407 Establish/Maintain Documentation Preventive
    Define the retention period for collected information in the privacy policy. CC ID 13116 Establish/Maintain Documentation Preventive
    Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 Establish/Maintain Documentation Preventive
    Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 Establish/Maintain Documentation Preventive
    Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 Establish/Maintain Documentation Preventive
    Include instructions on how to opt-out in the privacy policy. CC ID 00411 Establish/Maintain Documentation Preventive
    Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 Establish/Maintain Documentation Preventive
    Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 Establish/Maintain Documentation Preventive
    Post the privacy policy in an easily seen location. CC ID 00401 Establish/Maintain Documentation Preventive
    Define who will receive the privacy policy. CC ID 00402 Establish/Maintain Documentation Preventive
    Disseminate and communicate the privacy policy, as necessary. CC ID 13346 Communicate Preventive
    Protect private communications in keeping with compliance requirements. CC ID 14334 Business Processes Preventive
    Disseminate private communications when required by law. CC ID 14335 Communicate Corrective
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Establish/Maintain Documentation Preventive
    Refrain from charging a fee to implement an opt-out request. CC ID 13877 Business Processes Preventive
    Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 Establish/Maintain Documentation Preventive
    Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 Establish/Maintain Documentation Preventive
    Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 Establish/Maintain Documentation Preventive
    Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 Establish/Maintain Documentation Preventive
    Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 Establish/Maintain Documentation Preventive
    Include the identity of the data subject in the disclosure authorization form. CC ID 13436 Establish/Maintain Documentation Preventive
    Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 Establish/Maintain Documentation Preventive
    Include how personal data will be used in the disclosure authorization form CC ID 13441 Establish/Maintain Documentation Preventive
    Include agreement termination information in the disclosure authorization form. CC ID 13437 Establish/Maintain Documentation Preventive
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 Business Processes Preventive
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Business Processes Preventive
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 Data and Information Management Preventive
    Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 Business Processes Preventive
    Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 Business Processes Preventive
    Refrain from discriminating against data subjects who have refrained from granting an authorization of consent to use personal data. CC ID 13435 Human Resources Management Preventive
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 Business Processes Preventive
    Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 Establish/Maintain Documentation Preventive
    Collect and retain disclosure authorizations for each data subject. CC ID 13434 Records Management Preventive
    Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 Data and Information Management Preventive
    Refrain from obtaining consent through deception. CC ID 13556 Data and Information Management Preventive
    Give individuals the ability to change the uses of their personal data. CC ID 00469 Data and Information Management Preventive
    Notify data subjects of the implications of withdrawing consent. CC ID 13551 Data and Information Management Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Establish/Maintain Documentation Preventive
    Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 Human Resources Management Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Establish Roles Preventive
    Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 Human Resources Management Preventive
    Notify the supervisory authority. CC ID 00472 Behavior Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 Process or Activity Preventive
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Communicate Preventive
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 Communicate Corrective
    Cooperate with Data Protection Authorities. CC ID 06870 Data and Information Management Preventive
    Submit a safe harbor self-certification letter. CC ID 06871 Establish/Maintain Documentation Preventive
    Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 Human Resources Management Preventive
    Establish and maintain Binding Corporate Rules for the international transfers of personal data. CC ID 12584 Establish/Maintain Documentation Preventive
    Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 Establish/Maintain Documentation Preventive
    Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 Establish/Maintain Documentation Preventive
    Include data subject's rights in the Binding Corporate Rules. CC ID 12596 Establish/Maintain Documentation Preventive
    Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 Establish/Maintain Documentation Preventive
    Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 Establish/Maintain Documentation Preventive
    Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 Establish/Maintain Documentation Preventive
    Include the mechanisms for reporting legal requirements causing adverse effects on protecting personal data in the Binding Corporate Rules. CC ID 12620 Establish/Maintain Documentation Preventive
    Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 Establish/Maintain Documentation Preventive
    Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 Establish/Maintain Documentation Preventive
    Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 Establish/Maintain Documentation Preventive
    Include complaint procedures in the Binding Corporate Rules. CC ID 12613 Establish/Maintain Documentation Preventive
    Include the data transfers in the Binding Corporate Rules. CC ID 12590 Establish/Maintain Documentation Preventive
    Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 Establish/Maintain Documentation Preventive
    Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 Establish/Maintain Documentation Preventive
    Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 Establish/Maintain Documentation Preventive
    Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 Establish/Maintain Documentation Preventive
    Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 Establish/Maintain Documentation Preventive
    Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 Establish/Maintain Documentation Preventive
    Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 Establish/Maintain Documentation Preventive
    Notify the data controller of any changes in data processors. CC ID 12648 Communicate Preventive
    Establish and maintain Data Processing Contracts, as necessary. CC ID 12650 Establish/Maintain Documentation Preventive
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 Establish/Maintain Documentation Preventive
    Include the stipulation of notifying the data controller of legal requirements prior to processing personal data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Establish/Maintain Documentation Preventive
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Establish/Maintain Documentation Preventive
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 Establish/Maintain Documentation Preventive
    Include the stipulation that Report on Compliance will be made available in the Data Processing Contract. CC ID 12678 Establish/Maintain Documentation Preventive
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 Establish/Maintain Documentation Preventive
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 Human Resources Management Preventive
    Include the stipulation that copies of personal data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 Establish/Maintain Documentation Preventive
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Establish/Maintain Documentation Preventive
    Establish and maintain a personal data use limitation program. CC ID 13428 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Establish/Maintain Documentation Preventive
    Display or print the least amount of personal data necessary. CC ID 04643 Data and Information Management Preventive
    Redact confidential information from public information, as necessary. CC ID 06872 Data and Information Management Preventive
    Notify the data subject of the collection purpose. CC ID 00095 Behavior Preventive
    Refrain from using personal data collected for research and statistics for other purposes. CC ID 00096 Data and Information Management Preventive
    Document the law that requires personal data to be collected. CC ID 00103 Establish/Maintain Documentation Preventive
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Behavior Preventive
    Notify the data subject of changes to personal data use. CC ID 00105 Behavior Preventive
    Establish, implement, and maintain personal data use change of purpose procedures. CC ID 00106 Establish/Maintain Documentation Preventive
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Establish/Maintain Documentation Preventive
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Establish/Maintain Documentation Preventive
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Behavior Preventive
    Document personal data that is disclosed for an acceptable secondary purpose. CC ID 00124 Establish/Maintain Documentation Preventive
    Dispose of media and personal data in a timely manner. CC ID 00125 Data and Information Management Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Records Management Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Communicate Preventive
    Establish and maintain personal data access procedures. CC ID 00414 Establish/Maintain Documentation Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Data and Information Management Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Data and Information Management Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Data and Information Management Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Data and Information Management Preventive
    Provide assistance to data subject's in preparing personal data access requests. CC ID 13588 Data and Information Management Preventive
    Require personal data access requests to be in writing, unless the requester is unable. CC ID 00420 Establish/Maintain Documentation Preventive
    Define what is to be included in a personal data access request. CC ID 08699 Establish/Maintain Documentation Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Business Processes Preventive
    Respond to personal data access requests in a timely manner. CC ID 00421 Behavior Preventive
    Notify the individual of the reasons for delays in responding to personal data access requests. CC ID 00422 Behavior Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Behavior Detective
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Establish/Maintain Documentation Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Data and Information Management Preventive
    Establish and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Establish/Maintain Documentation Preventive
    Submit personal data removal requests in writing. CC ID 11973 Records Management Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Establish/Maintain Documentation Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Records Management Corrective
    Notify third parties of personal data access requests that relates to the third party. CC ID 08703 Establish/Maintain Documentation Preventive
    Allow affected third parties to consent or object to a personal data access request. CC ID 08704 Process or Activity Preventive
    Establish, implement, and maintain personal data use limitation procedures. CC ID 00128 Establish/Maintain Documentation Preventive
    Disclose de-identified data, as necessary. CC ID 13034 Communicate Preventive
    Notify the data subject after personal data is used or disclosed. CC ID 06247 Behavior Preventive
    Refrain from processing personal data, as necessary. CC ID 12551 Records Management Preventive
    Refrain from processing personal data if the personal data is involved in a legal claim. CC ID 12668 Process or Activity Preventive
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 Process or Activity Preventive
    Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 Business Processes Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 Process or Activity Detective
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 Process or Activity Preventive
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 Data and Information Management Preventive
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Business Processes Preventive
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Business Processes Preventive
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Business Processes Preventive
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Business Processes Preventive
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Business Processes Preventive
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Business Processes Preventive
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Business Processes Preventive
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Business Processes Preventive
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Business Processes Preventive
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Business Processes Preventive
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Process or Activity Preventive
    Establish and maintain a record of processing activities when processing personal data. CC ID 12636 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 Establish/Maintain Documentation Preventive
    Include the data protection officer's contact information in the record of processing activities. CC ID 12640 Records Management Preventive
    Include the data processor's contact information in the record of processing activities. CC ID 12657 Records Management Preventive
    Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 Records Management Preventive
    Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 Records Management Preventive
    Include a description of the data subject categories in the record of processing activities. CC ID 12659 Records Management Preventive
    Include the purpose of the personal data processing in the record of processing activities. CC ID 12663 Records Management Preventive
    Include the personal data processing categories in the record of processing activities. CC ID 12661 Records Management Preventive
    Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 Records Management Preventive
    Include the data recipient categories to whom personal data has been or will be disclosed in the record of processing activities. CC ID 12664 Records Management Preventive
    Include a description of the personal data categories in the record of processing activities. CC ID 12660 Records Management Preventive
    Include the joint data controller's contact information in the record of processing activities. CC ID 12639 Records Management Preventive
    Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 Records Management Preventive
    Include documentation of the transferee's safeguards for transferring personal data in the record of processing activities. CC ID 12643 Records Management Preventive
    Include the identification of transferees for transferring personal data in the record of processing activities. CC ID 12642 Records Management Preventive
    Include the data controller's contact information in the record of processing activities. CC ID 12637 Records Management Preventive
    Process personal data lawfully and carefully. CC ID 00086 Establish Roles Preventive
    Analyze requirements for processing personal data in contracts. CC ID 12550 Investigate Detective
    Implement technical controls that limit processing personal data for specific purposes. CC ID 12646 Technical Security Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Data and Information Management Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Communicate Corrective
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Records Management Preventive
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Data and Information Management Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Records Management Preventive
    Rely upon the warrant of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Process or Activity Preventive
    Rely upon the warrant of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Records Management Preventive
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Data and Information Management Preventive
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Establish/Maintain Documentation Preventive
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Data and Information Management Preventive
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Establish/Maintain Documentation Preventive
    Define and implement valid authorization control requirements. CC ID 06258 Establish/Maintain Documentation Preventive
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Data and Information Management Preventive
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Data and Information Management Preventive
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Data and Information Management Preventive
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Data and Information Management Preventive
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Data and Information Management Preventive
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Data and Information Management Preventive
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Data and Information Management Preventive
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Data and Information Management Preventive
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Data and Information Management Preventive
    Process personal data when it is processed during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 Data and Information Management Preventive
    Process traffic data in a controlled manner. CC ID 00130 Data and Information Management Preventive
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Data and Information Management Preventive
    Process personal data when it is publicly accessible. CC ID 00187 Data and Information Management Preventive
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Data and Information Management Preventive
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010 Business Processes Preventive
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Communicate Corrective
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Data and Information Management Preventive
    Process personal data for debt collection or benefit payments. CC ID 00190 Data and Information Management Preventive
    Process personal data in order to advance the public interest. CC ID 00191 Data and Information Management Preventive
    Process personal data for surveys, archives, or scientific research. CC ID 00192 Data and Information Management Preventive
    Process personal data for journalistic purposes. CC ID 00193 Data and Information Management Preventive
    Process personal data for academic purposes or religious purposes. CC ID 00194 Data and Information Management Preventive
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Data and Information Management Preventive
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Data and Information Management Preventive
    Follow legal obligations while processing personal data. CC ID 04794 Data and Information Management Preventive
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Data and Information Management Preventive
    Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 Data and Information Management Preventive
    Process personal data absent consent in order to protect vital interests of the data subject. CC ID 14012 Process or Activity Preventive
    Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 Data and Information Management Preventive
    Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 Data and Information Management Preventive
    Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 Data and Information Management Preventive
    Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 Data and Information Management Preventive
    Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 Data and Information Management Preventive
    Process personal data absent consent in order to perform a contract. CC ID 13586 Data and Information Management Preventive
    Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 Data and Information Management Preventive
    Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 Data and Information Management Preventive
    Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 Data and Information Management Preventive
    Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 Data and Information Management Preventive
    Process personal data absent consent when it is needed by law. CC ID 13577 Data and Information Management Preventive
    Process personal data absent consent when it is from publicly available information. CC ID 13576 Data and Information Management Preventive
    Process personal data absent consent if its use is consistent with the purposes. CC ID 13575 Data and Information Management Preventive
    Process personal data absent consent when produced for business purposes. CC ID 13563 Data and Information Management Preventive
    Process personal data absent consent for handling insurance claims. CC ID 13561 Data and Information Management Preventive
    Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 Data and Information Management Preventive
    Process personal data absent consent for life-threatening emergencies. CC ID 13558 Data and Information Management Preventive
    Process personal data absent consent for reasonable investigative purposes. CC ID 13557 Data and Information Management Preventive
    Notify the data subject before personal data is collected, used, or disclosed. CC ID 00132 Behavior Preventive
    Define security breach notification requirement exceptions. CC ID 04797 Establish/Maintain Documentation Preventive
    Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 Communicate Corrective
    Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 Records Management Preventive
    Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 Communicate Corrective
    Disclose personal data when the data subject has given unambiguous and implicit consent. CC ID 00157 Data and Information Management Preventive
    Define what personal data is not required to be disclosed absent consent. CC ID 00134 Establish/Maintain Documentation Preventive
    Define the exceptions to disclosure absent consent. CC ID 00135 Establish/Maintain Documentation Preventive
    Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 Data and Information Management Detective
    Define opt-out exceptions for disclosing personal data. CC ID 00159 Establish/Maintain Documentation Preventive
    Define how a data subject may give consent. CC ID 00160 Establish/Maintain Documentation Preventive
    Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 Data and Information Management Preventive
    Disclose personal data absent consent when the law does not require consent. CC ID 00136 Data and Information Management Preventive
    Disclose personal data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 Data and Information Management Preventive
    Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 Data and Information Management Preventive
    Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 Data and Information Management Preventive
    Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 Data and Information Management Preventive
    Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 Data and Information Management Preventive
    Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 Data and Information Management Preventive
    Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 Data and Information Management Preventive
    Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 Data and Information Management Preventive
    Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 Data and Information Management Preventive
    Disclose personal data absent consent if the disclosure is to a government institution. CC ID 13583 Data and Information Management Preventive
    Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 Data and Information Management Preventive
    Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 Data and Information Management Preventive
    Disclose personal data absent consent for handling insurance claims. CC ID 13585 Data and Information Management Preventive
    Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 Data and Information Management Preventive
    Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 Data and Information Management Preventive
    Disclose personal data absent consent to a government institution that has requested the information. CC ID 13582 Data and Information Management Preventive
    Disclose personal data absent consent if disclosure is to the next of kin or authorized representative. CC ID 13554 Data and Information Management Preventive
    Disclose personal data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 Data and Information Management Preventive
    Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 Data and Information Management Preventive
    Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 Data and Information Management Preventive
    Disclose personal data absent consent in order to perform a contract. CC ID 00139 Data and Information Management Preventive
    Disclose personal data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 Data and Information Management Preventive
    Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 Data and Information Management Preventive
    Disclose personal data absent consent when the personal data prevents life-threatening emergencies to third parties. CC ID 00142 Data and Information Management Preventive
    Disclose personal data absent consent when the personal data preserves human life at sea. CC ID 00143 Data and Information Management Preventive
    Disclose personal data absent consent in order to process the personal data for public interests. CC ID 00144 Data and Information Management Preventive
    Disclose personal data for public interests absent consent in order to provide social work assistance services. CC ID 00145 Data and Information Management Preventive
    Disclose personal data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 Data and Information Management Preventive
    Disclose personal data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 Data and Information Management Preventive
    Disclose personal data absent consent for public economic interests. CC ID 00148 Data and Information Management Preventive
    Disclose personal data for public interests absent consent for National Security reasons. CC ID 00149 Data and Information Management Preventive
    Disclose personal data absent consent for journalistic purposes. CC ID 00150 Data and Information Management Preventive
    Disclose personal data absent consent when it is publicly accessible. CC ID 00151 Data and Information Management Preventive
    Disclose personal data absent consent when it is related to publicly available information. CC ID 00152 Data and Information Management Preventive
    Disclose publicly accessible personal data absent consent when the data subject has already published it. CC ID 00153 Data and Information Management Preventive
    Disclose personal data absent consent in order to protect the data subject's vital interests. CC ID 00154 Data and Information Management Preventive
    Disclose personal data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 Data and Information Management Preventive
    Disclose personal data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 Data and Information Management Preventive
    Disclose personal data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 Establish/Maintain Documentation Detective
    Disclose personal data absent consent when it is needed by law. CC ID 00163 Data and Information Management Preventive
    Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 Data and Information Management Preventive
    Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 Data and Information Management Preventive
    Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 Data and Information Management Preventive
    Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 Data and Information Management Preventive
    Disclose personal data absent consent when the disclosure concerns the data subject's products or services obtained from the organization. CC ID 13469 Communicate Preventive
    Establish and maintain personal data retention procedures. CC ID 00167 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Establish/Maintain Documentation Preventive
    Capture personal data removal requests. CC ID 13507 Communicate Preventive
    Remove personal data from records after receiving a personal data removal request. CC ID 11972 Records Management Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Process or Activity Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Process or Activity Preventive
    Dispose of personal data removal requests, as necessary. CC ID 13512 Business Processes Preventive
    Limit the redisclosure and reuse of personal data. CC ID 00168 Data and Information Management Preventive
    Refrain from redisclosing or reusing personal data. CC ID 00169 Data and Information Management Preventive
    Document the redisclosing personal data exceptions. CC ID 00170 Establish/Maintain Documentation Preventive
    Redisclose personal data when the data subject consents. CC ID 00171 Data and Information Management Preventive
    Redisclose personal data when it is for criminal law enforcement. CC ID 00172 Data and Information Management Preventive
    Redisclose personal data in order to protect public revenue. CC ID 00173 Data and Information Management Preventive
    Redisclose personal data in order to assist a Telecommunications Ombudsman. CC ID 00174 Data and Information Management Preventive
    Redisclose personal data in order to prevent a life-threatening emergency. CC ID 00175 Data and Information Management Preventive
    Redisclose personal data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 Data and Information Management Preventive
    Redisclose personal data in order to preserve human life at sea. CC ID 00177 Data and Information Management Preventive
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 Data and Information Management Preventive
    Obtain parental consent in order to use or disclose children's data. CC ID 00198 Data and Information Management Preventive
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Data and Information Management Preventive
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Data and Information Management Preventive
    Process Personal Identification Numbers with consent. CC ID 00239 Data and Information Management Preventive
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Behavior Preventive
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Data and Information Management Preventive
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Data and Information Management Preventive
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Data and Information Management Preventive
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Data and Information Management Preventive
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Establish/Maintain Documentation Preventive
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Data and Information Management Preventive
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Data and Information Management Preventive
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Data and Information Management Preventive
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Data and Information Management Preventive
    Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 Data and Information Management Preventive
    Establish and maintain personal data disclosure procedures. CC ID 00133 Establish/Maintain Documentation Preventive
    Review personal data disclosure requests. CC ID 07129 Data and Information Management Preventive
    Establish and maintain personal data request denial procedures. CC ID 00434 Establish/Maintain Documentation Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 Data and Information Management Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Data and Information Management Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Data and Information Management Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Data and Information Management Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Data and Information Management Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Data and Information Management Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 Data and Information Management Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Data and Information Management Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Data and Information Management Preventive
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Process or Activity Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Data and Information Management Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Data and Information Management Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Data and Information Management Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Data and Information Management Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Data and Information Management Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Data and Information Management Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Data and Information Management Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Data and Information Management Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Data and Information Management Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Data and Information Management Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Data and Information Management Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Data and Information Management Preventive
    Notify the individual of the reasons the personal data access request was refused. CC ID 00453 Data and Information Management Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Communicate Preventive
    Notify individuals of their right to challenge a refusal to a personal data access request. CC ID 00454 Data and Information Management Preventive
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Process or Activity Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 Data and Information Management Preventive
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Data and Information Management Preventive
    Provide personal data in a reasonable time frame. CC ID 00429 Data and Information Management Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 Communicate Preventive
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Data and Information Management Preventive
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Data and Information Management Preventive
    Extend the time limit for providing personal data if it would unreasonably interfere with the organization's activities. CC ID 13589 Data and Information Management Preventive
    Provide personal data at a cost that is not excessive. CC ID 00430 Data and Information Management Preventive
    Provide personal data in a reasonable manner. CC ID 00431 Data and Information Management Preventive
    Provide personal data in a form that is intelligible. CC ID 00432 Data and Information Management Preventive
    Provide personal data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Data and Information Management Preventive
    Provide personal data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Data and Information Management Preventive
    Remove personal data about third parties before giving the data subject access to the information. CC ID 13601 Data and Information Management Preventive
    Document that a personal data search was conducted in case the personal data cannot be found. CC ID 06953 Establish/Maintain Documentation Preventive
    Include cookie management in the privacy framework. CC ID 13809 Establish/Maintain Documentation Preventive
    Establish and maintain cookie management procedures. CC ID 13810 Establish/Maintain Documentation Preventive
    Establish and maintain a personal data collection program. CC ID 06487 Establish/Maintain Documentation Preventive
    Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 Business Processes Detective
    Establish and maintain personal data collection limitation boundaries. CC ID 00507 Establish/Maintain Documentation Preventive
    Establish and maintain a personal data use policy. CC ID 00076 Establish/Maintain Documentation Preventive
    Use personal data for specified purposes. CC ID 11831 Data and Information Management Preventive
    Post the collection purpose. CC ID 00101 Establish/Maintain Documentation Preventive
    Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 Data and Information Management Preventive
    Document each individual's personal data collection consent preferences. CC ID 06945 Establish/Maintain Documentation Preventive
    Provide explicit consent that is clear and unambiguous. CC ID 00181 Data and Information Management Preventive
    Allow individuals to change their personal data collection consent preferences. CC ID 06946 Data and Information Management Preventive
    Adhere to each individual's personal data collection consent preferences. CC ID 06947 Data and Information Management Preventive
    Notify the data subject of the source of collected personal data. CC ID 00083 Behavior Preventive
    Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 Data and Information Management Preventive
    Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 Data and Information Management Preventive
    Establish and maintain a personal data definition. CC ID 00028 Establish/Maintain Documentation Preventive
    Include an individual's name in the personal data definition. CC ID 04710 Data and Information Management Preventive
    Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 Data and Information Management Preventive
    Include a parent's legal surname prior to marriage in the personal data definition. CC ID 04686 Data and Information Management Preventive
    Include an individual's signature in the personal data definition. CC ID 04711 Data and Information Management Preventive
    Include an individual's date of birth in the personal data definition. CC ID 04770 Data and Information Management Preventive
    Include the number of children in the personal data definition. CC ID 13759 Establish/Maintain Documentation Preventive
    Include the individual's religion in the personal data definition. CC ID 13765 Establish/Maintain Documentation Preventive
    Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 Data and Information Management Preventive
    Include an individual's biometric data in the personal data definition. CC ID 04698 Data and Information Management Preventive
    Include an individual's photographic image in the personal data definition. CC ID 04779 Data and Information Management Preventive
    Include an individual's fingerprints in the personal data definition. CC ID 04689 Data and Information Management Preventive
    Include an individual's address in the personal data definition. CC ID 04687 Data and Information Management Preventive
    Include an individual's telephone number in the personal data definition. CC ID 04688 Data and Information Management Preventive
    Include an individual's fax number in the personal data definition. CC ID 07120 Data and Information Management Preventive
    Include an individual's political party affiliation in the personal data definition. CC ID 13764 Establish/Maintain Documentation Preventive
    Include an individual's license plate number in the personal data definition. CC ID 13763 Establish/Maintain Documentation Preventive
    Include an individual's financial account number in the personal data definition. CC ID 04692 Data and Information Management Preventive
    Include an individual's account balances in the personal data definition. CC ID 13770 Establish/Maintain Documentation Preventive
    Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 Data and Information Management Preventive
    Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 Data and Information Management Preventive
    Include an individual's logon credentials in the personal data definition. CC ID 13771 Establish/Maintain Documentation Preventive
    Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 Data and Information Management Preventive
    Include an individual's passport number in the personal data definition. CC ID 04713 Data and Information Management Preventive
    Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 Data and Information Management Preventive
    Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 Data and Information Management Preventive
    Include an individual's military identification number in the personal data definition. CC ID 13083 Establish/Maintain Documentation Preventive
    Include an individual's e-mail address in the personal data definition. CC ID 04696 Data and Information Management Preventive
    Include electronic signatures in the personal data definition. CC ID 04697 Data and Information Management Preventive
    Include an individual's payment card information in the personal data definition. CC ID 04751 Data and Information Management Preventive
    Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 Data and Information Management Preventive
    Include an individual's payment card service code in the personal data definition. CC ID 04753 Data and Information Management Preventive
    Include an individual's payment card expiration date in the personal data definition. CC ID 04755 Data and Information Management Preventive
    Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 Data and Information Management Preventive
    Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 Data and Information Management Preventive
    Include an individual's medical history in the personal data definition. CC ID 04701 Data and Information Management Preventive
    Include an individual's medical treatment in the personal data definition. CC ID 04702 Data and Information Management Preventive
    Include an individual's medical diagnosis in the personal data definition. CC ID 04703 Data and Information Management Preventive
    Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 Data and Information Management Preventive
    Include an individual's medical record numbers in the personal data definition. CC ID 07121 Data and Information Management Preventive
    Include an individual's health insurance information in the personal data definition. CC ID 04705 Data and Information Management Preventive
    Include an individual's health insurance policy number in the personal data definition. CC ID 04706 Data and Information Management Preventive
    Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 Data and Information Management Preventive
    Include an individual's education information in the personal data definition. CC ID 04714 Data and Information Management Preventive
    Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 Data and Information Management Preventive
    Include an individual's employment information in the personal data definition. CC ID 04715 Data and Information Management Preventive
    Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 Data and Information Management Preventive
    Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 Data and Information Management Preventive
    Include an individual's employment history in the personal data definition. CC ID 04716 Data and Information Management Preventive
    Include an individual's place of employment in the personal data definition. CC ID 04765 Data and Information Management Preventive
    Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 Data and Information Management Preventive
    Include an individual's property information in the personal data definition. CC ID 04780 Data and Information Management Preventive
    Include an individual's property title in the personal data definition. CC ID 04781 Data and Information Management Preventive
    Include an individual's vehicle registration in the personal data definition. CC ID 04782 Data and Information Management Preventive
    Include hardware asset identification information in the personal data definition. CC ID 07123 Data and Information Management Preventive
    Include MAC addresses in the personal data definition. CC ID 04778 Data and Information Management Preventive
    Include Internet Protocol addresses in the personal data definition. CC ID 04777 Data and Information Management Preventive
    Include asset serial numbers in the personal data definition. CC ID 07124 Data and Information Management Preventive
    Include Uniform Resource Locators in the personal data definition. CC ID 07125 Data and Information Management Preventive
    Refrain from including publicly available information in the personal data definition. CC ID 13084 Establish/Maintain Documentation Preventive
    Define specially restricted data. CC ID 00037 Data and Information Management Preventive
    Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 Data and Information Management Preventive
    Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 Data and Information Management Preventive
    Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 Data and Information Management Preventive
    Implement a nondiscrimination principle. CC ID 00081 Data and Information Management Preventive
    Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 Data and Information Management Preventive
    Preserve each individual's right to human dignity. CC ID 00082 Data and Information Management Preventive
    Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 Data and Information Management Preventive
    Employ a random number generator to create Personal Identification Numbers. CC ID 13782 Technical Security Preventive
    Collect Personal Identification Numbers with the individual's consent. CC ID 00059 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 Data and Information Management Preventive
    Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 Behavior Preventive
    Manage health data collection. CC ID 00050 Data and Information Management Preventive
    Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 Data and Information Management Preventive
    Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 Data and Information Management Preventive
    Collect Individually Identifiable Health Information for research. CC ID 00054 Data and Information Management Preventive
    Remove personal data before disclosing health data. CC ID 00055 Data and Information Management Preventive
    Give special attention to collecting children's data. CC ID 00038 Data and Information Management Preventive
    Use simple understandable language to collect information from children. CC ID 00039 Behavior Preventive
    Notify parents of what information is collected from children. CC ID 00040 Establish/Maintain Documentation Preventive
    Obtain parental consent before collecting information from children. CC ID 00041 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to request the parent's information to obtain consent. CC ID 00044 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to protect the child's safety. CC ID 00046 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to take liability precautions. CC ID 00047 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to respond to a judicial process. CC ID 00048 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 Data and Information Management Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Establish/Maintain Documentation Preventive
    Collect personal data directly from the data subject. CC ID 00011 Data and Information Management Preventive
    Create and manage user account aliases to maintain pseudonymity. CC ID 04549 Data and Information Management Preventive
    Provide unlinkability for users and resources. CC ID 04550 Data and Information Management Preventive
    Provide unobservability of users and resources. CC ID 04551 Technical Security Preventive
    Confirm the data quality of personal data collected from third parties. CC ID 13510 Investigate Detective
    Collect personal data in a fair and lawful manner. CC ID 00010 Data and Information Management Preventive
    Collect personal data absent consent for specific and well-documented circumstances. CC ID 00013 Data and Information Management Preventive
    Collect personal data absent consent when the data collection is in the data subject's interests and consent cannot be obtained in a timely manner. CC ID 00014 Data and Information Management Preventive
    Collect personal data absent consent when consent compromises data accuracy. CC ID 00015 Data and Information Management Preventive
    Collect personal data absent consent in order to make a disclosure. CC ID 13550 Data and Information Management Preventive
    Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 Data and Information Management Preventive
    Collect personal data absent consent if collection is consistent with the purposes. CC ID 13548 Data and Information Management Preventive
    Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 Data and Information Management Preventive
    Collect personal data absent consent for handling insurance claims. CC ID 13543 Data and Information Management Preventive
    Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 Data and Information Management Preventive
    Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 Data and Information Management Preventive
    Collect personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 Data and Information Management Preventive
    Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 Data and Information Management Preventive
    Collect personal data absent consent from publicly available information. CC ID 00019 Data and Information Management Preventive
    Collect personal data absent consent when needed by law. CC ID 00020 Data and Information Management Preventive
    Collect personal data absent consent when no potential harm can come to the data subject. CC ID 00021 Data and Information Management Preventive
    Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 Data and Information Management Preventive
    Collect the minimum amount of personal data necessary. CC ID 00078 Data and Information Management Preventive
    Collect personal data in a proper information framework. CC ID 00009 Data and Information Management Preventive
    Collect and record personal data for specific, explicit, and legitimate purposes. CC ID 00027 Data and Information Management Preventive
    Collect personal data when an individual gives consent. CC ID 00030 Data and Information Management Preventive
    Collect personal data when required by law. CC ID 00031 Data and Information Management Preventive
    Collect personal data to prevent life-threatening emergencies. CC ID 00032 Data and Information Management Preventive
    Collect personal data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 Data and Information Management Preventive
    Collect personal data for legal purposes. CC ID 00036 Data and Information Management Preventive
    Review the methods for collecting personal data, as necessary. CC ID 13511 Investigate Detective
    Provide the data subject with information about the data controller during the collection process. CC ID 00023 Establish/Maintain Documentation Preventive
    Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 Communicate Preventive
    Provide the data subject with the data collector's name and contact information. CC ID 00024 Establish/Maintain Documentation Preventive
    Provide the data subject with the name of the data collector who will hold the collected personal data. CC ID 00025 Establish/Maintain Documentation Preventive
    Provide the data subject with the third party processor's contact information when the data controller is not processing the personal data. CC ID 00026 Establish/Maintain Documentation Preventive
    Establish and maintain a data handling program. CC ID 13427 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Establish/Maintain Documentation Preventive
    Establish and maintain data and information confidentiality policies. CC ID 00361
    [Documented information required by the information security management system and by this International Standard shall be controlled to ensure: it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). § 7.5.3 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Data and Information Management Preventive
    Protect electronic messaging information. CC ID 12022
    [Information involved in electronic messaging shall be appropriately protected. A.13.2.3 Control]
    Technical Security Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Data and Information Management Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Configuration Preventive
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Testing Detective
    Store payment card data in secure chips, if possible. CC ID 13065 Configuration Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Configuration Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Technical Security Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Data and Information Management Preventive
    Log the disclosure of personal data. CC ID 06628 Log Management Preventive
    Log the modification of personal data. CC ID 11844 Log Management Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Technical Security Preventive
    Implement security measures to protect personal data. CC ID 13606 Technical Security Preventive
    Implement physical controls to protect personal data. CC ID 00355 Testing Preventive
    Limit data leakage. CC ID 00356 Data and Information Management Preventive
    Conduct personal data risk assessments. CC ID 00357 Testing Detective
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Business Processes Preventive
    Establish and maintain suspicious document procedures. CC ID 04852 Establish/Maintain Documentation Detective
    Establish and maintain suspicious personal data procedures. CC ID 04853 Data and Information Management Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Data and Information Management Detective
    Establish and maintain suspicious user account activity procedures. CC ID 04854 Monitor and Evaluate Occurrences Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Investigate Detective
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Behavior Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Data and Information Management Detective
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Log Management Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Monitor and Evaluate Occurrences Corrective
    Log dates for account name changes or address changes. CC ID 04876 Log Management Detective
    Review accounts that are changed for additional user requests. CC ID 11846 Monitor and Evaluate Occurrences Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Data and Information Management Detective
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Acquisition/Sale of Assets or Services Preventive
    Search the Internet for evidence of data leakage. CC ID 10419 Process or Activity Detective
    Review monitored websites for data leakage. CC ID 10593 Monitor and Evaluate Occurrences Detective
    Establish and maintain caller identification controls. CC ID 04790 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 Data and Information Management Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Data and Information Management Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Data and Information Management Preventive
    Establish and maintain data handling procedures. CC ID 11756 Establish/Maintain Documentation Preventive
    Define personal data that falls under breach notification rules. CC ID 00800 Establish/Maintain Documentation Preventive
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Data and Information Management Preventive
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Data and Information Management Preventive
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Data and Information Management Preventive
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Data and Information Management Preventive
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Data and Information Management Preventive
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Data and Information Management Preventive
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Data and Information Management Preventive
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Data and Information Management Preventive
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Data and Information Management Preventive
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Data and Information Management Preventive
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Data and Information Management Preventive
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Data and Information Management Preventive
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Data and Information Management Preventive
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Data and Information Management Preventive
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Data and Information Management Preventive
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Data and Information Management Preventive
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Data and Information Management Preventive
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Data and Information Management Preventive
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Data and Information Management Preventive
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Data and Information Management Preventive
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Data and Information Management Preventive
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Data and Information Management Preventive
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Data and Information Management Preventive
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Data and Information Management Preventive
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Data and Information Management Preventive
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Data and Information Management Preventive
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Data and Information Management Preventive
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Data and Information Management Preventive
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Data and Information Management Preventive
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Data and Information Management Preventive
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Data and Information Management Preventive
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Data and Information Management Preventive
    Define an out of scope privacy breach. CC ID 04677 Establish/Maintain Documentation Preventive
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Business Processes Preventive
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Monitor and Evaluate Occurrences Preventive
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Monitor and Evaluate Occurrences Preventive
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Monitor and Evaluate Occurrences Preventive
    Conduct internal data processing audits. CC ID 00374 Testing Detective
    Establish and maintain a personal data transfer program. CC ID 00307 Establish/Maintain Documentation Preventive
    Obtain consent from an individual prior to transferring personal data. CC ID 06948 Data and Information Management Preventive
    Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 Establish/Maintain Documentation Preventive
    Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 Business Processes Preventive
    Notify data subjects when their personal data is transferred. CC ID 00352 Behavior Preventive
    Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 Establish/Maintain Documentation Preventive
    Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 Communicate Preventive
    Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 Data and Information Management Preventive
    Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 Data and Information Management Preventive
    Prohibit the transfer of personal data when security is inadequate. CC ID 00345 Data and Information Management Preventive
    Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 Data and Information Management Preventive
    Refrain from transferring past the first transfer. CC ID 00347 Data and Information Management Preventive
    Document transfer disagreements by the data subject in writing. CC ID 00348 Establish/Maintain Documentation Preventive
    Allow the data subject the right to object to the personal data transfer. CC ID 00349 Data and Information Management Preventive
    Follow the instructions of the data transferrer. CC ID 00334 Behavior Preventive
    Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 Establish/Maintain Documentation Preventive
    Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 Data and Information Management Preventive
    Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 Data and Information Management Preventive
    Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 Data and Information Management Preventive
    Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 Data and Information Management Preventive
    Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 Data and Information Management Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 Data and Information Management Preventive
    Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 Data and Information Management Preventive
    Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 Data and Information Management Preventive
    Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 Data and Information Management Preventive
    Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 Data and Information Management Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 Data and Information Management Preventive
    Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 Data and Information Management Preventive
    Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 Business Processes Preventive
    Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 Establish/Maintain Documentation Preventive
    Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 Data and Information Management Preventive
    Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 Data and Information Management Preventive
    Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 Data and Information Management Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 Data and Information Management Preventive
    Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 Data and Information Management Preventive
    Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 Data and Information Management Preventive
    Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 Data and Information Management Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 Data and Information Management Preventive
    Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 Communicate Preventive
    Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 Behavior Preventive
    Establish and maintain Internet interactivity data transfer procedures. CC ID 06949 Establish/Maintain Documentation Preventive
    Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 Data and Information Management Preventive
    Obtain consent prior to downloading software to an individual's computer. CC ID 06951 Data and Information Management Preventive
    Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 Process or Activity Preventive
    Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 Process or Activity Preventive
    Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 Process or Activity Preventive
    Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 Data and Information Management Preventive
    Establish, implement, and maintain a privacy impact assessment. CC ID 13712 Establish/Maintain Documentation Preventive
    Review compliance with the organization's privacy objectives. CC ID 13490 Human Resources Management Detective
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Data and Information Management Preventive
    Implement procedures to file privacy rights violation complaints. CC ID 00476 Data and Information Management Corrective
    File privacy rights violation complaints in writing. CC ID 00477 Establish/Maintain Documentation Corrective
    Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 Establish/Maintain Documentation Corrective
    Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 Establish/Maintain Documentation Preventive
    Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 Behavior Corrective
    File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 Behavior Corrective
    Change or destroy any personal data that is incorrect. CC ID 00462 Data and Information Management Corrective
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Behavior Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Data and Information Management Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Data and Information Management Corrective
    Establish and maintain a privacy dispute resolution program. CC ID 12526 Establish/Maintain Documentation Preventive
    Include potential remedies in the privacy dispute resolution program. CC ID 12531 Establish/Maintain Documentation Preventive
    Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 Establish/Maintain Documentation Preventive
    Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 Establish/Maintain Documentation Preventive
    Document unresolved challenges. CC ID 13568 Establish/Maintain Documentation Preventive
    Establish and maintain an accuracy resolution policy. CC ID 00460 Establish/Maintain Documentation Preventive
    Notify individuals of their right to challenge personal data. CC ID 00457 Data and Information Management Preventive
    Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 Data and Information Management Preventive
    Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 Configuration Preventive
    Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 Human Resources Management Preventive
    Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 Data and Information Management Preventive
    Investigate the disputed accuracy of personal data. CC ID 00461 Data and Information Management Preventive
    Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 Behavior Corrective
    Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 Behavior Corrective
    Notify third parties of unresolved challenges. CC ID 13559 Communicate Preventive
    Document disagreements as to whether personal data is complete and accurate. CC ID 06952 Establish/Maintain Documentation Preventive
    Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 Establish/Maintain Documentation Preventive
    Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 Data and Information Management Corrective
    Investigate privacy rights violation complaints. CC ID 00480 Behavior Detective
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 Business Processes Corrective
    Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 Behavior Detective
    Include the allegations against the organization in the notice of investigation. CC ID 13031 Establish/Maintain Documentation Preventive
    Investigate privacy rights violation complaints in private. CC ID 00492 Behavior Detective
    Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 Behavior Detective
    Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 Behavior Detective
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 Behavior Preventive
    Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 Behavior Preventive
    Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 Behavior Preventive
    Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 Behavior Preventive
    Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 Behavior Preventive
    Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 Communicate Corrective
    Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 Establish/Maintain Documentation Corrective
    Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 Behavior Corrective
    Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 Establish/Maintain Documentation Detective
    Order the organization to change to be in compliance with applicable law. CC ID 00499 Behavior Corrective
    Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 Behavior Corrective
    Award damages based on applicable law. CC ID 00501 Behavior Corrective
    Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 Data and Information Management Corrective
    Define the organization's liability based on the applicable law. CC ID 00504 Establish/Maintain Documentation Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Establish/Maintain Documentation Preventive
    Define the appeal process based on the applicable law. CC ID 00506 Establish/Maintain Documentation Preventive
    Provide notice of proposed penalties. CC ID 06216 Establish/Maintain Documentation Preventive
    Notify the public and other agencies after a penalty becomes final. CC ID 06217 Behavior Preventive
    Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 Testing Detective
  • Records management
    82
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Records management CC ID 00902 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain records management policies. CC ID 00903 Establish/Maintain Documentation Preventive
    Establish and maintain a record classification scheme. CC ID 00914 Establish/Maintain Documentation Preventive
    Establish and maintain a records authentication system. CC ID 11648
    [Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. A.18.1.3 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain Records Management procedures. CC ID 00919 Establish/Maintain Documentation Preventive
    Establish and maintain document security requirements for the output of records. CC ID 11656
    [Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. A.18.1.3 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 Establish/Maintain Documentation Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Establish/Maintain Documentation Detective
    Establish and maintain a data retention program. CC ID 00906
    [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 f)]
    Establish/Maintain Documentation Detective
    Remove dormant data from systems, as necessary. CC ID 13726 Process or Activity Preventive
    Select the appropriate format for archived data and records. CC ID 06320 Data and Information Management Preventive
    Archive appropriate records, logs, and database tables. CC ID 06321 Records Management Preventive
    Maintain continued integrity for all stored data and stored records. CC ID 00969 Testing Detective
    Archive document metadata in a fashion that allows for future reading of the metadata. CC ID 10060 Data and Information Management Preventive
    Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 Data and Information Management Preventive
    Determine how long to keep records and logs before disposing them. CC ID 11661
    [The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. § 8.1 ¶ 2]
    Process or Activity Preventive
    Retain records in accordance with applicable requirements. CC ID 00968
    [The organization shall retain term_primary-noun">documented information as evidence of the results of management reviews. § 9.3 ¶ 4
    The organization shall retain documented information on the information security objectives. § 6.2 ¶ 3
    The organization shall retain documented information about the information security risk assessment process. § 6.1.2 ¶ 2
    The organization shall retain documented information of the results of the information security risk assessments. § 8.2 ¶ 2
    The organization shall retain documented information of the results of the information security risk treatment. § 8.3 ¶ 2
    The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken, and § 10.1 ¶ 3 f)
    The organization shall retain appropriate documented information as evidence of the monitoring and measurement results. § 9.1 ¶ 3
    The organization shall retain documented information as evidence of: the results of any corrective action. § 10.1 ¶ 3 g)
    The organization shall retain documented information about the information security risk treatment process. § 6.1.3 ¶ 2]
    Records Management Preventive
    Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. A.18.1.3 Control]
    Establish/Maintain Documentation Preventive
    Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643
    [All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. A.11.2.7 Control]
    Data and Information Management Preventive
    Degauss as a method of sanitizing electronic storage media. CC ID 00973 Records Management Preventive
    Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970
    [Media shall be disposed of securely when no longer required, using formal procedures. A.8.3.2 Control]
    Testing Detective
    Maintain media sanitization equipment in operational condition. CC ID 00721 Testing Detective
    Define each system's disposition requirements for records and logs. CC ID 11651 Process or Activity Preventive
    Establish and maintain records disposition procedures. CC ID 00971
    [For the control of documented information, the organization shall address the following activities, as applicable: retention and disposition. § 7.5.3 ¶ 2 f)]
    Establish/Maintain Documentation Preventive
    Manage the disposition status for all records. CC ID 00972 Records Management Preventive
    Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 Data and Information Management Preventive
    Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 Records Management Preventive
    Place printed records awaiting destruction into secure containers. CC ID 12464 Physical and Environmental Protection Preventive
    Destroy printed records so they cannot be reconstructed. CC ID 11779 Physical and Environmental Protection Preventive
    Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 Data and Information Management Preventive
    Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 Establish/Maintain Documentation Preventive
    Maintain disposal records or redeployment records. CC ID 01644 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain records management procedures. CC ID 11619 Establish/Maintain Documentation Preventive
    Protect records from loss in accordance with applicable requirements. CC ID 12007
    [Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. A.18.1.3 Control]
    Records Management Preventive
    Establish and maintain elec